From: Reini U. <ru...@x-...> - 2005-10-30 17:47:57
|
2005/10/19, Dan Frankowski <dfr...@cs...>: > For your fun and enjoyment here is an undergraduate thesis on making > PhpWiki into a WYSIWIKI: > > http://www.tc.umn.edu/~yile0001/thesis.pdf > > I am not necessarily recommending this as a plan of action, but I think > it's good to be exposed to these ideas. I will say that one of my vocal > users feels WYSIWIKI (without a save button!) would be a huge win. > Disclosure: I did not write this thesis, but I did work with Scott on > other things. > > Dan > > The short story: > > - Markup is hard for some > - Markup is ambiguous sometimes (e.g., "*happy days*" produces a bullet > instead of bold) This is a bug which should be fixed somewhen... > - Saving should happen more easily Very good idea. > A trial implementation: Can Scott please make CinchWiki available? I agree with most if his points. > - Bolt a WYSIWIG editor onto the wiki in this case SPAW, > http://sourceforge.net/projects/spaw My initial WYSIWYG wiki was guiki. Brain dead simple. > - Save pages in straight HTML so it is a logical, consistent, powerful > language pagetype=3Dhtml > - Do it in a way so people don't have to hit an "edit" or "save" button > anymore (!!). It just auto-saves every few seconds (to the same > revision, so it doesn't create huge numbers of revisions) InlineEditing can only be done if ENABLE_WYSIWYG is the one and only editing option. Maybe provide an link to the traditional wikimarkup edit textarea... > Some limitations to be solved, with proposals for solutions for each: > > - Lack of plugin support This can be done by some custom insert plugin button (as phpwiki-1.3.11) and a form to edit the args, as described in the thesis, plus some AJAX code in the background. I don't like the idea of magic HTML comments. Plugins should be translated with pagetype=3Dhtml to use xml syntax. <plugin name=3DAllUsers options> <ul><li>intermediate list by AJAX</li> </ul> </plugin> > - HTML vulnerability The RawHtml plugin uses a safe_html lib to strip possible vulnerabilities. http://chxo.com/scripts/safe_html-test.php A set of functions for sanitizing user input: keeps "friendly" tags but strips javascript events and style attributes closes any open comment tags closes any open HTML tags - results may not be valid HTML, but at least they will keep the rest of the page from breaking treats the following as malicious conditions and returns text stripped of all html tags: any instances of =3D'javascript: event or style attributes remaining after initial replacement See also http://simon.incutio.com/archive/2003/02/23/safeHtmlChecker -- Reini Urban http://phpwiki.org/ |