Official: Redactor Composer now available in 0.7.1+


  • @yariplus Will try and take a look later tonight. I don't have FF and I'm at work right now 😃

  • Plugin & Theme Dev

    not working on safari , can't write.
    also if i don't disable plugin markdown all i get is html code as result in my posts

    wonder what will happen with olds posts if markdown is disabled ?

  • GNU/Linux Admin

    @exodo said:

    wonder what will happen with olds posts if markdown is disabled ?

    The raw markdown will show up. You can maintain compatibility with old posts by disabling HTML sanitisation in the markdown plugin settings, but this is only safe because Redactor comes with its own sanitiser.

    It is a definite security risk to disable HTML sanitisation without another method of sanitisation in use.

  • Plugin & Theme Dev

    @julian said:

    @exodo said:

    wonder what will happen with olds posts if markdown is disabled ?

    The raw markdown will show up. You can maintain compatibility with old posts by disabling HTML sanitisation in the markdown plugin settings, but this is only safe because Redactor comes with its own sanitiser.

    It is a definite security risk to disable HTML sanitisation without another method of sanitisation in use.

    if you mean this, always had it disable
    Captura de pantalla 2015-07-22 a las 19.39.10.png

  • GNU/Linux Admin

    Disable HTML Sanitisation / Enable HTML usage

    Sorry for the confusing text 😆

  • Plugin & Theme Dev

    @julian said:

    Disable HTML Sanitisation / Enable HTML usage

    Sorry for the confusing text 😆

    i see 👊


  • @yariplus I don't get that message on FF.
    I get:
    downloadable font: OS/2: bad linegap: -32 (font-family: "RedactorFont" style:normal weight:normal stretch:normal src index:0) source: data:application/x-font-ttf;charset=utf-8;base64{someBase64} stylesheet.css:13:31133 but that's it.

  • Community Rep

    @Drew-Llewellyn

    Hmm, I tried disabling my plugins, but it's still happening.

    FireBug tells me it's from this code in public/src/overrides.js:

    		//http://stackoverflow.com/questions/511088/use-javascript-to-place-cursor-at-end-of-text-in-text-input-element
    		$.fn.putCursorAtEnd = function() {
    			return this.each(function() {
    				$(this).focus();
    
    				if (this.setSelectionRange) {
    					var len = $(this).val().length * 2;
    					this.setSelectionRange(len, len);          // Throws error here
    				} else {
    					$(this).val($(this).val());
    				}
    				this.scrollTop = 999999;
    			});
    		};
    

    The error could be unrelated, but the cursor is the main problem. I can type, but I can't move the cursor or select things. And buttons seem to work only when they feel like it. Submit does post though.


  • impressive a $500 donation 😉

  • Admin

    Yeah @Codejet I get your feelings, and probably markdown is the better solution today (which is why the redactor composer is not default right now)

    Hopefully we get to a point where we get an awesome WYSIWYG composer that blows other forum composers out of the water. One step at a time 😉

    Whatever the community can contribute will make this thing more awesome, exactly like how we have progressed with the core itself so far.


  • Well said @psychobunny 👍


  • For anyone looking to contribute, the repo is here:
    https://github.com/NodeBB/nodebb-plugin-composer-redactor.
    Fork, improve, make a pull request.
    ❤ ❤ ❤


  • @julian
    I can't DM you because you don't follow me. Just updated Redactor in the github repo. I don't think I have permission to publish the npm package though.


  • The new composer looks nice. Very impressive work.

    Just one quick question. Are you doing server side HTML sanitization or are you completely relying on Redactor to provide clean HTML? If so, where is the server side code that does the sanitization.


  • @phil said:

    The new composer looks nice. Very impressive work.

    Just one quick question. Are you doing server side HTML sanitization or are you completely relying on Redactor to provide clean HTML? If so, where is the server side code that does the sanitization.

    OK, I've answered my own question. No server side sanitization. It's very easy to inject javascript code into a post for XSS.

    I would strongly recommend not deploying this to a production site until server side html sanitization is implemented. If any of the devs would like to know how I XSS'd my test site, let me know.


  • @phil said:

    @phil said:

    The new composer looks nice. Very impressive work.

    Just one quick question. Are you doing server side HTML sanitization or are you completely relying on Redactor to provide clean HTML? If so, where is the server side code that does the sanitization.

    OK, I've answered my own question. No server side sanitization. It's very easy to inject javascript code into a post for XSS.

    I would strongly recommend not deploying this to a production site until server side html sanitization is implemented. If any of the devs would like to know how I XSS'd my test site, let me know.

    I've forked and am adding server side validation. Does redactor have a list of all the tags and attributes that pass it's validation? In order for server side validation to not mess things up, it needs to perform the same validation the client performs. It would be even more useful if the guys over at redactor made their client side validation code available in a separate library. 🙂


  • @phil they have a list of tags they *don't * take:
    http://imperavi.com/redactor/docs/security/

    But no explicit list of ones they do. I can see from your pull request you've added a list. Is that one you took from somewhere specific or built yourself?

    A huge thank you to you @phil for making a contribution to the Redactor composer plugin. Gold stars and dancing girls for you!*

    (* gold stars not made of real gold. Dancing girls may or may not be dancing, may or may not be girls. Offer void in Utah)


  • @drew said:

    @phil they have a list of tags they *don't * take:
    http://imperavi.com/redactor/docs/security/

    But no explicit list of ones they do. I can see from your pull request you've added a list. Is that one you took from somewhere specific or built yourself?

    I dug through the Redactor source to find what they were sanitizing against and made the list to match what they were doing.

    A huge thank you to you @phil for making a contribution to the Redactor composer plugin. Gold stars and dancing girls for you!*

    (* gold stars not made of real gold. Dancing girls may or may not be dancing, may or may not be girls. Offer void in Utah)


  • I've run into an issue (I've posted on github with no response) figured I would try here.

    When activating redactor it seems I cannot compose a post in Safari, however, it works fine in chrome. Any thoughts on this. Others in github were able to reproduce the issue so its' not a theme issue.

    https://github.com/NodeBB/nodebb-plugin-composer-redactor/issues/4


  • @tfraley You're getting replies on github, but I think what you're saying is it's not fixed. If you know js, and you have safari (or anyone reading this) pull requests welcome!

Suggested Topics

  • 9
  • 2
  • 5
  • 2
  • 1
| |