From: Fabien C. <fab...@go...> - 2011-05-24 22:01:34
|
Dear all, I had a look tonight at how we could translate the website using gettext + launchpad, just like we translate the rest of the program. I have a small PHP test which can load a .mo file and use it to translate the content of the main webpage. We could just add a 'website' directory into the stellarium source which contains the content and add a new translation domain 'stellarium-website' in the cmake scripts and in Launchpad translation service. This approach has several advantages: it will be much easier for contributors to translate the website, it will be easier to manage updates, the whole code will be stored in the main Stellarium bzr. On the other hand they could be a number of issues: 1 - We will loose the current translated php files content. I think it's quite OK when I see the quite bad state of website translation. We could also use this opportunity to update a bit the webpage content. 2- There may be some security issues by allowing untrusted people to edit the translated website content in launchpad (like injection of javascipt etc..). A solution could be to allow only trusted people to edit the translations on launchpad, but unfortunately the permissions management for project translation in LP is unfortunately not very flexible and as far as I understood, I don't think it's possible. 3- Anything else? Fabien |
From: Alexander W. <ale...@gm...> - 2011-05-25 01:52:30
|
2011/5/25 Fabien Chéreau <fab...@go...>: > This approach has several advantages: it will be much easier for > contributors to translate the website, it will be easier to manage > updates, the whole code will be stored in the main Stellarium bzr. I would prefer not to load a website in the main repository of Stellarium's. > On the other hand they could be a number of issues: > 1 - We will loose the current translated php files content. I think > it's quite OK when I see the quite bad state of website translation. > We could also use this opportunity to update a bit the webpage > content. I agree with this position. > 2- There may be some security issues by allowing untrusted people to > edit the translated website content in launchpad (like injection of > javascipt etc..). A solution could be to allow only trusted people to > edit the translations on launchpad, but unfortunately the permissions > management for project translation in LP is unfortunately not very > flexible and as far as I understood, I don't think it's possible. This issue is being addressed through changes policy permissions for the translation project - but you can not specify different policies for different "domain's" within one project. > 3- Anything else? How to update translations on the site? -- With best regards, Alexander |
From: Fabien C. <fab...@go...> - 2011-05-25 06:45:53
|
On Wed, May 25, 2011 at 03:52, Alexander Wolf <ale...@gm...> wrote: > 2011/5/25 Fabien Chéreau <fab...@go...>: >> This approach has several advantages: it will be much easier for >> contributors to translate the website, it will be easier to manage >> updates, the whole code will be stored in the main Stellarium bzr. > > I would prefer not to load a website in the main repository of Stellarium's. Why? If the doc and wiki directories are omitted it would add only 4mb. >> On the other hand they could be a number of issues: >> 1 - We will loose the current translated php files content. I think >> it's quite OK when I see the quite bad state of website translation. >> We could also use this opportunity to update a bit the webpage >> content. > > I agree with this position. > >> 2- There may be some security issues by allowing untrusted people to >> edit the translated website content in launchpad (like injection of >> javascipt etc..). A solution could be to allow only trusted people to >> edit the translations on launchpad, but unfortunately the permissions >> management for project translation in LP is unfortunately not very >> flexible and as far as I understood, I don't think it's possible. > > This issue is being addressed through changes policy permissions for > the translation project - I don't see how. > but you can not specify different policies > for different "domain's" within one project. It's another problem yes. >> 3- Anything else? > > How to update translations on the site? you will have to copy the .po from Launchpad, compile them into .mo and upload them to the website in a new locale/ directory. Fab > -- > With best regards, Alexander > > ------------------------------------------------------------------------------ > vRanger cuts backup time in half-while increasing security. > With the market-leading solution for virtual backup and recovery, > you get blazing-fast, flexible, and affordable data protection. > Download your free trial now. > http://p.sf.net/sfu/quest-d2dcopy1 > _______________________________________________ > Stellarium-pubdevel mailing list > Ste...@li... > https://lists.sourceforge.net/lists/listinfo/stellarium-pubdevel > |
From: Bogdan M. <dag...@gm...> - 2011-05-25 06:55:03
|
On Wed, May 25, 2011 at 9:45 AM, Fabien Chéreau <fab...@go...> wrote: > On Wed, May 25, 2011 at 03:52, Alexander Wolf <ale...@gm...> wrote: >> 2011/5/25 Fabien Chéreau <fab...@go...>: >>> This approach has several advantages: it will be much easier for >>> contributors to translate the website, it will be easier to manage >>> updates, the whole code will be stored in the main Stellarium bzr. >> >> I would prefer not to load a website in the main repository of Stellarium's. > > Why? If the doc and wiki directories are omitted it would add only 4mb. It may be a source of conflicts when merging branches into the trunk. The less merge conflicts, the better. >>> 2- There may be some security issues by allowing untrusted people to >>> edit the translated website content in launchpad (like injection of >>> javascipt etc..). A solution could be to allow only trusted people to >>> edit the translations on launchpad, but unfortunately the permissions >>> management for project translation in LP is unfortunately not very >>> flexible and as far as I understood, I don't think it's possible. >> >> This issue is being addressed through changes policy permissions for >> the translation project - > > I don't see how. > >> but you can not specify different policies >> for different "domain's" within one project. > > It's another problem yes. I suggest using the existing stellarium-website project, though I don't see how we can avoid code injection. Perhaps using the PHP script that includes the text to strip tags? If this is going to be a security vulnerability, I suggest abandoning the plan. Our website is visited by a lot of people. Regards, Bogdan Marinov |
From: Alexander W. <ale...@gm...> - 2011-05-25 07:15:45
|
2011/5/25 Fabien Chéreau <fab...@go...>: >> This issue is being addressed through changes policy permissions for >> the translation project - > I don't see how. Open the dialog "Configure translations" in project settings and look "Translation group" and "Translation permissions policy" dialogs -- With best regards, Alexander |
From: Alexander W. <ale...@gm...> - 2011-05-25 07:18:36
|
I have one question: I can use mod_rewrite on stellarium.org as example? If mod_rewrite works then we can use only one index.php for all languages. -- With best regards, Alexander |
From: Fabien C. <fab...@go...> - 2011-05-25 07:18:50
|
On Wed, May 25, 2011 at 09:15, Alexander Wolf <ale...@gm...> wrote: > 2011/5/25 Fabien Chéreau <fab...@go...>: >>> This issue is being addressed through changes policy permissions for >>> the translation project - >> I don't see how. > > Open the dialog "Configure translations" in project settings and look > "Translation group" and "Translation permissions policy" dialogs Yes but you can't easily create a new group there: these are predefined groups. We could maybe try to ask for creation of a new group, but it doesn't really fit the rest of the groups there (ubuntu translators, Gnome project translators etc..).. Fab > -- > With best regards, Alexander > > ------------------------------------------------------------------------------ > vRanger cuts backup time in half-while increasing security. > With the market-leading solution for virtual backup and recovery, > you get blazing-fast, flexible, and affordable data protection. > Download your free trial now. > http://p.sf.net/sfu/quest-d2dcopy1 > _______________________________________________ > Stellarium-pubdevel mailing list > Ste...@li... > https://lists.sourceforge.net/lists/listinfo/stellarium-pubdevel > |
From: Alexander W. <ale...@gm...> - 2011-05-25 07:35:23
|
2011/5/25 Fabien Chéreau <fab...@go...>: > Yes but you can't easily create a new group there: these are > predefined groups. We could maybe try to ask for creation of a new > group, but it doesn't really fit the rest of the groups there (ubuntu > translators, Gnome project translators etc..).. But we can start with open model or structured and migrate on future on more strict model. -- With best regards, Alexander |
From: Fabien C. <fab...@go...> - 2011-05-25 07:44:02
|
On Wed, May 25, 2011 at 08:54, Bogdan Marinov <dag...@gm...> wrote: > On Wed, May 25, 2011 at 9:45 AM, Fabien Chéreau > <fab...@go...> wrote: >> On Wed, May 25, 2011 at 03:52, Alexander Wolf <ale...@gm...> wrote: >>> 2011/5/25 Fabien Chéreau <fab...@go...>: >>>> This approach has several advantages: it will be much easier for >>>> contributors to translate the website, it will be easier to manage >>>> updates, the whole code will be stored in the main Stellarium bzr. >>> >>> I would prefer not to load a website in the main repository of Stellarium's. >> >> Why? If the doc and wiki directories are omitted it would add only 4mb. > > It may be a source of conflicts when merging branches into the trunk. > The less merge conflicts, the better. > >>>> 2- There may be some security issues by allowing untrusted people to >>>> edit the translated website content in launchpad (like injection of >>>> javascipt etc..). A solution could be to allow only trusted people to >>>> edit the translations on launchpad, but unfortunately the permissions >>>> management for project translation in LP is unfortunately not very >>>> flexible and as far as I understood, I don't think it's possible. >>> >>> This issue is being addressed through changes policy permissions for >>> the translation project - >> >> I don't see how. >> >>> but you can not specify different policies >>> for different "domain's" within one project. >> >> It's another problem yes. > > I suggest using the existing stellarium-website project, though I > don't see how we can avoid code injection. Perhaps using the PHP > script that includes the text to strip tags? If this is going to be a > security vulnerability, I suggest abandoning the plan. Our website is > visited by a lot of people. I agree. Possible technical solutions are as you said to strip tags: e.g. with http://php.net/manual/en/function.strip-tags.php or by escaping HTML special characters http://www.php.net/manual/en/function.htmlspecialchars.php The only problem is that we need to allow for certain tags like <a> because their position is language dependent, so we also need to make sure they don't contain attribute with javascript, like onclick. Fab > Regards, > Bogdan Marinov > > ------------------------------------------------------------------------------ > vRanger cuts backup time in half-while increasing security. > With the market-leading solution for virtual backup and recovery, > you get blazing-fast, flexible, and affordable data protection. > Download your free trial now. > http://p.sf.net/sfu/quest-d2dcopy1 > _______________________________________________ > Stellarium-pubdevel mailing list > Ste...@li... > https://lists.sourceforge.net/lists/listinfo/stellarium-pubdevel > |
From: Alexander W. <ale...@gm...> - 2011-05-25 07:51:47
|
2011/5/25 Fabien Chéreau <fab...@go...>: > The only problem is that we need to allow for certain tags like <a> > because their position is language dependent, so we also need to make > sure they don't contain attribute with javascript, like onclick. Look http://ru.php.net/manual/en/function.strip-tags.php#89453 - it's not problem -- With best regards, Alexander |
From: Fabien C. <fab...@go...> - 2011-05-27 20:48:17
|
OK finally I managed to do the conversion to gettext for the index.php. See the branch: https://code.launchpad.net/~xalioth/stellarium-website/with-gettext I think it is now also safe from code injection (I just escape every string translated, if they contain html it just displays the html code..) If you agree we could merge this branch and add the .pot as a translation for the stellarium-website project. Matthew it would be nice if the stellarium-website project could be managed by the stellarium-website or at least the stellarium team so that I can go on. Fabien On Wed, May 25, 2011 at 09:51, Alexander Wolf <ale...@gm...> wrote: > 2011/5/25 Fabien Chéreau <fab...@go...>: >> The only problem is that we need to allow for certain tags like <a> >> because their position is language dependent, so we also need to make >> sure they don't contain attribute with javascript, like onclick. > > Look http://ru.php.net/manual/en/function.strip-tags.php#89453 - it's > not problem > > -- > With best regards, Alexander > > ------------------------------------------------------------------------------ > vRanger cuts backup time in half-while increasing security. > With the market-leading solution for virtual backup and recovery, > you get blazing-fast, flexible, and affordable data protection. > Download your free trial now. > http://p.sf.net/sfu/quest-d2dcopy1 > _______________________________________________ > Stellarium-pubdevel mailing list > Ste...@li... > https://lists.sourceforge.net/lists/listinfo/stellarium-pubdevel > |