WYSIWYG in comments

Random stuff about serendipity. Discussion, Questions, Paraphernalia.
Post Reply
MuzAn
Posts: 4
Joined: Sun Sep 03, 2006 10:35 pm

WYSIWYG in comments

Post by MuzAn »

WYSIWYG usage in articles is nice to have, though I --as the article writer-- can easily make do without it.

Since it is the authors that get to use it, there's easily much more capable alternatives --OpenOffice, Nvu etc-- which means you can simply copy paste from them to s9y.

And, face it, for any site that's worth its salt, the number of comments far exceeds the number of articles.

OK. That was the prelude. Here's my gripe:

My average comment author is no where near a web developer, s/he gets very much frustrated with all that tag soup excercises (the square bracket tags too).

I assume that allowing full HTML usage is dangerous (how? and why?), but isn't it somehow possible to allow a very restiricted subset (strip the rest) and make the comment authors' life be a little easier?

It is entirely possible that there exist such a plugin, but I did look around quite a bit, but I haven't found one.

I would very much love to find one. Does anyone know where --if nowhere, any reason why this is so neglected..
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: WYSIWYG in comments

Post by garvinhicking »

I assume that allowing full HTML usage is dangerous (how? and why?),
Absolutely. Allowing HTML introduces all sort of JavaScript injection, which can lead to cookie disclosure, password disclosure and web defacement.

The same reason why web forums (like phpBB) do not offer WYSIWYG.

What they offer, though, is a simple BBCode markup. You could take that simple JavaScript and put it in your commentform.tpl template file. You could also make a simple plugin for that; the serendipity_event_emoticonchooser for example already has the emoticion chooser sidebar. Putting a "B, i, u" icon bar into it should not be hard. In fact I thought somebody had already done that. If you like, I could also pacth the plugin for you so that it supports those tags.

Until now, most people where happy enough with just using the bbcode tags (a link for all tags exists in the comment form). But I understand you would want a toolbar for that.

However, WSYIWYG editing will never happen (at least not from my side and not officially in Spartacus) because of the very dangerous security risks. People would think it imposes no risk if it were available. ;)

Best regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
MuzAn
Posts: 4
Joined: Sun Sep 03, 2006 10:35 pm

Re: WYSIWYG in comments

Post by MuzAn »

Absolutely. Allowing HTML introduces all sort of JavaScript injection, which can lead to cookie disclosure, password disclosure and web defacement.
Thank you for responding. I am not too fluent on this issue, so if you could bear with me just a little more, I have a couple of extension questions on top of my gripe :)

How would it be possible for someone to inject JS code if all we (on the server side) is interested in a limited number of tags (that is, excluding things like <script> etc?
The same reason why web forums (like phpBB) do not offer WYSIWYG.
I can see that, but, on the other hand, operators such as Google (gmail) seems to be quite comfortable with offering WYSIWYG functionality and my users are pestering for something like that all the time.
Until now, most people where happy enough with just using the bbcode tags (a link for all tags exists in the comment form). But I understand you would want a toolbar for that.
:) Well, as I mentioned, people like gmail have a lot to answer for :)
However, WSYIWYG editing will never happen (at least not from my side and not officially in Spartacus) because of the very dangerous security risks. People would think it imposes no risk if it were available. ;)
Would you consider making the API conducive to WYSIWYG functionality (I am assuming it isn't at the moment) if people using it took an oath to not blame you for any security issues --i.e. it comes with a great big disclaimer that it could even decapitate my newborn :)

And added to that I would even promise to make sure that anyone that gets to the comment writing stage is fully screened ;)
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: WYSIWYG in comments

Post by garvinhicking »

Hi!
How would it be possible for someone to inject JS code if all we (on the server side) is interested in a limited number of tags (that is, excluding things like <script> etc?
A blacklist is very hard to do. You can also bypass this filter by using <a href="javascript:evil_function()"> or <a onclick="evilfunction"> and many, many more. It would be impossible to catch them all, because every system that has tried to do so has had bugs in the past.
as Google (gmail) seems to be quite comfortable with offering WYSIWYG functionality
That's a difference! What HTML is entered in an E-Mail will only show up on the client of the receiving user. You could insert any malicious HTML there, the email clients usually do not render HTML, or if so, they have a more proper working implementation of filtering HTML.

In a blog or forum, user-created content is shown immediuately to a broad range of authors. That is a very large difference than email posting.
Would you consider making the API conducive to WYSIWYG functionality (I am assuming it isn't at the moment) if people using it took an oath to not blame you for any security issues --i.e. it comes with a great big disclaimer that it could even decapitate my newborn :)
No, I am not willing to change the API to allow for HTML injection. :) It can be done with some tricks, though.

Best regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
MuzAn
Posts: 4
Joined: Sun Sep 03, 2006 10:35 pm

Re: WYSIWYG in comments

Post by MuzAn »

Hi,
A blacklist is very hard to do. You can also bypass this filter by using <a href="javascript:evil_function()"> or <a onclick="evilfunction"> and many, many more. It would be impossible to catch them all, because every system that has tried to do so has had bugs in the past.
So, IOW, you're saying using JS would NOT pose a significant (if any) risk to the server, but you're concerned about the clients/users of the blog/forum.

While I appreciate the considerate attitude, I am not at all sure it is sufficient to make life harder for much larger numbers of people. Especially if all we're talking about is some possible malusage which requires an action by the user (such as clicking on a given link).

Quite a number of SW offers WYSIWYG as an option, for example vBulletin and wowBB etc, Trouble is, they dont offer blogging functionality.
That's a difference! What HTML is entered in an E-Mail will only show up on the client of the receiving user. You could insert any malicious HTML there, the email clients usually do not render HTML, or if so, they have a more proper working implementation of filtering HTML.
Just to test how lax it might be, I just sent myself some <script> stuff and gMail filtered it all out --no trace. So, they must be doing some blacklisting on tags.

Just to test a little more: Could you conjure an evil piece of code I can send myself and see if it works on gMail?
No, I am not willing to change the API to allow for HTML injection. :) It can be done with some tricks, though.
Any names that have done this that I can have a copy :)
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: WYSIWYG in comments

Post by garvinhicking »

Hi!
IOW, you're saying using JS would NOT pose a significant (if any) risk to the server, but you're concerned about the clients/users of the blog/forum.
Not necessarily! It first only affects the User's client. But imagine if you are the visiting client, people could give you an <iframe> that uses javascript to POST data to your serendipity backend to remove all your entries. This would be straight ahead executed, deleting all your entries - just because you are logged in to serendipity. Basically, evil visitors can remote control your browser.
While I appreciate the considerate attitude, I am not at all sure it is sufficient to make life harder for much larger numbers of people. Especially if all we're talking about is some possible malusage which requires an action by the user (such as clicking on a given link).
The funny thing about XSS is, is that it can easily be coded to be automated, without any user interaction, malicious code can be executed.

We take security very high in Serendipity, and the upside of using HTML in comments is very low. Easy tags like BBCode are much easier, and most people even understand that easier than <strong> or other HTML tags.

I offered to create a bbcode markup bar, but since you didn't take on that, there's nothing more I could do. :)
Quite a number of SW offers WYSIWYG as an option, for example vBulletin and wowBB etc, Trouble is, they dont offer blogging functionality.
Are you sure about that? I thought vBulleting also only offered the Pseudo-WYSWYIG using BBCode markup?
So, they must be doing some blacklisting on tags.
Yes, but blacklisting tags is like wizardry. There are a gazillion possible evil combinations which are PRETTY hard to filter out.

Google GMail has a development team of several hundred people; if they were available to serendipity or if they revelead their filtering code, we COULD implement it of course. And I would even do it.

But one of the reasons why the google filters seem to work is because they're closed source. nobody can see how they are filtering and abuse flaws in their implementation. For serendipity the implemention would be open to investigation, and thus people can much easier exploit blacklist-weaknesses.
Just to test a little more: Could you conjure an evil piece of code I can send myself and see if it works on gMail?
It might be that this is possible. But it would require a huge amount of trying, which I am not able to dedicate.
No, I am not willing to change the API to allow for HTML injection. :) It can be done with some tricks, though.
Any names that have done this that I can have a copy :)[/quote]

I believe the plugin 'serendipity_event_unstrip_tags' does something that goes into this direction...

Best regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
stm999999999
Regular
Posts: 1531
Joined: Tue Mar 07, 2006 11:25 pm
Location: Berlin, Germany
Contact:

Post by stm999999999 »

I offered to create a bbcode markup bar, but since you didn't take on that, there's nothing more I could do.
Oh, a bbcode bar! This would be fine :-)
Ciao, Stephan
Post Reply