From: Jean-Marc L. <jea...@gm...> - 2010-10-07 13:54:38
|
This is an issue I encountered on http://tiki.org/TikiFestStrasbourg2011 I tried to insert an image by entering this: {img src="http://test01.jmlibs.name/tiki-download_file.php?fileId=2212" } This is totally correct syntax and it works fine on my test Tiki6 installations. Sefurl is not activated on my Tiki6 installations, including test01.jmlibs.name But on http://tiki.org sefurl seems to be activated and the image plugin is rendered as : <img alt="Image" src="http://test01.jmlibs.name/dl2212"> This does not work, since test01.jmlibs.name does not have sefurl. I think it is wrong for {img} to apply sefurl transformation on "external" web urls since: * It's the user's responsibility to enter it correctly. Anti-XSS security checks are OK, second-guessing is not. We should keep as close to what was entered as is reasonable. * It fails if the external site does not have sefurl (and I certainly don't intend to activate it) * It will fail if/when sefurl rules change on future Tiki versions (like if we get /-based sefurl like http://test01.jmlibs.name/files/2212 ) Thinking about it, I don't see any good reason why we apply sefurl to internal urls. I know nothing about the parser code, but my suggestion is : source urls in img plugin should not pass through sefurl filter. Cheers, Jyhem |