Official: Redactor Composer now available in 0.7.1+
-
@Codejet said:
@Drew-Llewellyn nope not for me, I'm surprised Nodebb developers have not complained about the security risks.
They were quite stringent on this in the beginning.
There is no preview either, maybe if it had that I would use it. There would be a lot of messing around if you didn't get all your html right the first time, and there really is no way to test if it works, so it gets published straight to the forum. Modern day forums allow preview's before finally submit the real thing.
I did discuss this with @julian by email. There was a one month grace period where we could return Redactor for a full refund, so we took the opportunity to explore it and assess it for security concerns like script injection and iframe manipulation. We were happy it is secure.
For the preview, you'll note that the preview currently provided is a different font size the the actual post, and @ mentions don't have the same colour as they will in a post, the background colour is different and large quotes that get 'folded up' in the actual post aren't folded in the preview. So I would argue that Redactor's WYSIWYG editor is more accurate in its preview than the default composer.
If it's not for you, you don't need to worry as the markdown based composer is still available and supported. For other people who want rich content and more style options this is probably more for them. Especially people who are running forums where the initial post is staff-written content. Any company wanting to put together stylish, eye grabbing posts will want more than just markdown provides.
Thanks for giving it a test drive and providing feedback.
-
I'm getting a browser console error:
NS_ERROR_FAILURE:
as soon as I open the composer on any page, and it becomes unresponsive. Any idea what this could be? -
@yariplus said:
I'm getting a browser console error:
NS_ERROR_FAILURE:
as soon as I open the composer on any page, and it becomes unresponsive. Any idea what this could be?Any more info on what the console error is? Are all resources loading (no 404s etc?). Which browser, and which version? Which OS?
-
not working on safari , can't write.
also if i don't disable plugin markdown all i get is html code as result in my postswonder what will happen with olds posts if markdown is disabled ?
-
@exodo said:
wonder what will happen with olds posts if markdown is disabled ?
The raw markdown will show up. You can maintain compatibility with old posts by disabling HTML sanitisation in the markdown plugin settings, but this is only safe because Redactor comes with its own sanitiser.
It is a definite security risk to disable HTML sanitisation without another method of sanitisation in use.
-
@julian said:
@exodo said:
wonder what will happen with olds posts if markdown is disabled ?
The raw markdown will show up. You can maintain compatibility with old posts by disabling HTML sanitisation in the markdown plugin settings, but this is only safe because Redactor comes with its own sanitiser.
It is a definite security risk to disable HTML sanitisation without another method of sanitisation in use.
if you mean this, always had it disable
-
@yariplus I don't get that message on FF.
I get:
downloadable font: OS/2: bad linegap: -32 (font-family: "RedactorFont" style:normal weight:normal stretch:normal src index:0) source: data:application/x-font-ttf;charset=utf-8;base64{someBase64} stylesheet.css:13:31133 but that's it. -
@Drew-Llewellyn
Hmm, I tried disabling my plugins, but it's still happening.
FireBug tells me it's from this code in public/src/overrides.js:
//http://stackoverflow.com/questions/511088/use-javascript-to-place-cursor-at-end-of-text-in-text-input-element $.fn.putCursorAtEnd = function() { return this.each(function() { $(this).focus(); if (this.setSelectionRange) { var len = $(this).val().length * 2; this.setSelectionRange(len, len); // Throws error here } else { $(this).val($(this).val()); } this.scrollTop = 999999; }); };
The error could be unrelated, but the cursor is the main problem. I can type, but I can't move the cursor or select things. And buttons seem to work only when they feel like it. Submit does post though.
-
impressive a $500 donation
-
Yeah @Codejet I get your feelings, and probably markdown is the better solution today (which is why the redactor composer is not default right now)
Hopefully we get to a point where we get an awesome WYSIWYG composer that blows other forum composers out of the water. One step at a time
Whatever the community can contribute will make this thing more awesome, exactly like how we have progressed with the core itself so far.
-
Well said @psychobunny
-
For anyone looking to contribute, the repo is here:
https://github.com/NodeBB/nodebb-plugin-composer-redactor.
Fork, improve, make a pull request.
-
-
@phil said:
The new composer looks nice. Very impressive work.
Just one quick question. Are you doing server side HTML sanitization or are you completely relying on Redactor to provide clean HTML? If so, where is the server side code that does the sanitization.
OK, I've answered my own question. No server side sanitization. It's very easy to inject javascript code into a post for XSS.
I would strongly recommend not deploying this to a production site until server side html sanitization is implemented. If any of the devs would like to know how I XSS'd my test site, let me know.
-
@phil said:
@phil said:
The new composer looks nice. Very impressive work.
Just one quick question. Are you doing server side HTML sanitization or are you completely relying on Redactor to provide clean HTML? If so, where is the server side code that does the sanitization.
OK, I've answered my own question. No server side sanitization. It's very easy to inject javascript code into a post for XSS.
I would strongly recommend not deploying this to a production site until server side html sanitization is implemented. If any of the devs would like to know how I XSS'd my test site, let me know.
I've forked and am adding server side validation. Does redactor have a list of all the tags and attributes that pass it's validation? In order for server side validation to not mess things up, it needs to perform the same validation the client performs. It would be even more useful if the guys over at redactor made their client side validation code available in a separate library.