Reply New Topic
29/1/2010 3:53:03
#1
Offline
Home away from home

HTMLPurifier Admin Options - your opinions

With the addition of Admin Config options for HTMLPurifier in ImpressCMS 1.2 I would like to ask our developers, designers & users their opinions.

Mainly I would like to know the following:

1. Are the tool tips easy to understand.
2. What options have you left as 'default' or untouched.
3. if you have changed any options, which options have you changed & what have you changed them to??

there are a hell of a lot of options for Purifier, & I am aware that a large percentage of those options will never ever be changed from their defaults, likewise I know that some of those options will be changed by users as they mess about with their sites.

I would like to gather this information together, so that in time, those options that are never ever changed by people, can be moved to a more internal hardcoded setting, those settings that people change regularly, we can determine the changes, and if many people are changing the same options with the same changes, then we can in future incorporate those changes as part of the default settings.

I know some of the options there, may look & sound complicated, but you'll probably find those settings will hardly be changed by users, so if you don't understand the implications of changing something, then it is likely you would not need to change it.

secondly I'd also like to thank the many people such as Ana, Andy Cleff, Marcan, William (there are many more of you aswell), for their patience whilst developing the Purifier system, and for providing necessary feedback on the settings, without their feedback (& their frustrations etc), It would have made the work a lot more difficult in arriving at a decision of what should be set as default..

But we still require more feedback from users in working backgrounds on the default settings and if/how they adjust those settings.

_________________
Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!

31/1/2010 8:07:03
#2
Offline
Home away from home

Re: HTMLPurifier Admin Options - your opinions

Well, this is a busy topic.

idk if its just me - but purifier strips the javascript out of all of my a tags.

ex:
<a href="(script removed) void(0);">Ajax Anchor</a>


This is no bueno, and I kinda think I know what you are gonna say...

Citaat:

Well.... try # instead.



and my response... # is not vaild.

Any time I build a site with impresscms that is rich in js - I end up having to disable purifier. Which sucks, and even then the javascript part is still getting ripped out.

Security is grand and all - I am down with that - but it would be nice if we could override security if we needed to in admin side.

Content manager/blocks/etc.... if you are on acp side - you should not be limited because of the potential security risks on the user side.


31/1/2010 9:01:10
#3
Offline
Home away from home

Re: HTMLPurifier Admin Options - your opinions

i think you'll find that it's the textsanitizer stripping javascript. as far as i'm aware, that has always been the case anyway.

though HTMLPurifier would also remove it aswell.

_________________
Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!

31/1/2010 9:44:54
#4
Offline
Home away from home

Re: HTMLPurifier Admin Options - your opinions

ya, that was the half awake point I was trying to make... I can go in and modify textsanitizer to allow it - but then purifier still gets in my way... this seems so counterproductive.

If purifier is handling security - why is textsanitizer still being used?

I think what it really boils down to - is that the security that we use is fantastic for keeping users from embedding malicious code and all that - but it has gone beyond that - and at least for me - has begun to get in the way of what I need to do.

I have been forced to use Drupal and wordpress more and more for sites because ICMS is not flexible enough to do what I need it to do.

Hell, I am even using Drupal to build my new site... it seems so wrong, but at the same time what am I supposed to do?

I am not sure that ICMS is actually going somewhere where it will be usable for any of the sites I am building or will build. I am building rich - interactive - modern websites - and ICMS makes it feel like such a chore to do it. While system like Drupal are not only more simple for users to use - but the addons and combinations of addons that exist make it painless to set up. (Friggin Views people! VIEWS!)

Another point - Through work I am building some pretty big name sites now... really big actually - and I wish I could say who they were but I am not allowed to - the exposure ICMS would gain from me being able to use it for these sites would be tremendous - the problem is... ICMS is not even close to ready for this kind of stuff. Soooo Drupal gets yet another big name site. Same thing goes for pretty much all of the sites I am working on - out of 15 that I am currently building - only one is ICMS - and its a basic install - and still has issues.

Citaat:

No Mr. Customer who is paying for a working website - a white screen when you go to edit a block is totally normal.



Citaat:

Oh? all the html syntax is showing up in the forum when using a wysiwyg editor?



I mean I fixed the issues - but damn.

Sure - I can hack and mod my own websites to do whatever using ICMS - but from a users perspective - no friggin way... I can't expect a simple user to have to open up ftp and modify templates because the acp ui doesn't allow them to do basic stuff without interfering...

Summation: Developers are not users.


31/1/2010 14:09:30
#5
Offline
Webmaster

Re: HTMLPurifier Admin Options - your opinions

Will, I must admit that you have a point there. The problem is that, until now, the changes in impressCMS have been all triggered by the developers. I'm looking at a way to let the user participate much more in deciding what should be changed or added.

Will, if you could tell us in more detail (without disclosing any company secrets of course) what it is you need ImpressCMS to do (in another thread), that would be very helpful.

Mindlessly stripping away javascript is not good in the current state of the web. We're trying ourselves to introduce more javascript in all the parts of ImpressCMS, so we're kinda shooting ourselves in the foot here.

Underdog is doing some tests on forms and jQuery and I'm very interested to see what comes of that.

_________________

Me on OpenHub


1/2/2010 19:13:32
#6
Offline
Home away from home

Re: HTMLPurifier Admin Options - your opinions

Citaat:


MrTheme wrote:

If purifier is handling security - why is textsanitizer still being used?



Excellent point and one that can and should be addressed in 1.3. No sense in doing the work twice.

Citaat:


I am not sure that ICMS is actually going somewhere where it will be usable for any of the sites I am building or will build. I am building rich - interactive - modern websites - and ICMS makes it feel like such a chore to do it. While system like Drupal are not only more simple for users to use - but the addons and combinations of addons that exist make it painless to set up. (Friggin Views people! VIEWS!)


Citaat:


The Views module provides a flexible method for Drupal site designers to control how lists and tables of content (nodes in Views 1, almost anything in Views 2) are presented. Traditionally, Drupal has hard-coded most of this, particularly in how taxonomy and tracker lists are formatted.

This tool is essentially a smart query builder that, given enough information, can build the proper query, execute it, and display the results. It has four modes, plus a special mode, and provides an impressive amount of functionality from these modes.



My basic understanding of Drupal Views is to present data from underlying tables differently than how the module/feature developer presents them, without having to hack themes/templates. If this is correct, Formulize does have this little known feature. Instead of creating a form and building your own list of fields, base the form on an existing db table, create a view or screen (custom display page) and BAM!

Citaat:


Another point - Through work I am building some pretty big name sites now... really big actually - and I wish I could say who they were but I am not allowed to - the exposure ICMS would gain from me being able to use it for these sites would be tremendous - the problem is... ICMS is not even close to ready for this kind of stuff. Soooo Drupal gets yet another big name site. Same thing goes for pretty much all of the sites I am working on - out of 15 that I am currently building - only one is ICMS - and its a basic install - and still has issues.



We've got a great team, here, and we'll be continuing to polish and progress. Yet, we need to realize and accept that no CMS is perfect for every job and we need to focus on our niche - what makes us unique. Is it the Project, or the Community? The code or the philosophy? There are a lot of intangibles, but we also need to deliver tangible results.

_________________
Christian Web Resources
Facebook

1/2/2010 20:12:11
#7
Offline
Home away from home

Re: HTMLPurifier Admin Options - your opinions

Now, back on the original topic....

Just some crazy ideas -

What if we had some basic profiles for HTML Purifier - like:
1. No filtering, just tidy up the html
2. Only restrict the most easily exploited tags/attributes
3. Strict, but not paranoid
4. Paranoid
5. Custom

???

_________________
Christian Web Resources
Facebook

1/2/2010 21:37:49
#8
Offline
Home away from home

Re: HTMLPurifier Admin Options - your opinions

That's not a crazy idea, it's a brilliant idea.
Same for being able to import (XML) settings for purifier?


2/2/2010 6:38:44
#9
Offline
Home away from home

Re: HTMLPurifier Admin Options - your opinions

Citaat:


Now, back on the original topic....

Just some crazy ideas -

What if we had some basic profiles for HTML Purifier - like:
1. No filtering, just tidy up the html
2. Only restrict the most easily exploited tags/attributes
3. Strict, but not paranoid
4. Paranoid
5. Custom

???



well not exactly the kind of responses i was actually looking for.

i was asking about the current options avasilable in preferences, to determine what people are changing from default, how they are changing them, and whether some of those options can be removed because they never ever get changed from their defaults.

i wasn't asking for feature improvements. lol

though to answer some of those points.

1. i supposed that could be done (though see reply '2').

2. yes this could be done, but remember purifier works on a whitelist basis, the forbidden tags subtract themselves from the allowed list. to make this work as we all want, we have to redo the fitering of the core completely, to make sure we can properly determine when & where content is being filtered.. specifically either Input filtering, where all filtering is done prior to writing to DB, or output filtering where all filtering is done on output. both have their pros & cons, but input filtering has far fewer cons. I may have a solution to that soon if it works out as i think it will.

3. well the options are there to change the strictness, but yes they are global. it is still a work in progress however (and i really should blog more), eventually my plan is to have different filtering methods and configs that can be based on group, individual user & module overrides (though core will be able to select if an option can be overridden by a module config value).

4. ""Just because you're paranoid, doesn't mean they aren't out to get you"" ;)

5. Custom, custom yes. as Niels mentioned custom XML import/export is on the way.

_________________
Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!

20/11/2011 15:37:11
#10
Offline
Just can not stay away

Re: HTMLPurifier Admin Options - your opinions

I am also running into this issue more and more.

While still struggling with ImpressCMS I and leaning more and more towards going to Drupal. Even with HTMLPurifier completely disabled it adds linebreaks making adding content and making it look properly impossible.

It is frustrating.

I think the developers needs to decide if they want a functional rich site or something that is hard to use be I guess can be called secure.


21/11/2011 8:42:32
#11
Offline
Webmaster

Re: HTMLPurifier Admin Options - your opinions

Disabling HTMLPurifier doesn't ADD linebreaks. When it's disabled properly, it just does nothing.

I can understand your frustration, but instead of complaining and threatening to drop ImpressCMS, it would be more efficient to work constructively toward a solution.

That way we both get what we want : a better and easier-to-use ImpressCMS.

_________________

Me on OpenHub


Reply New Topic extras
 Previous Topic   Next Topic
You can view topic.
You can start a new topic.
You can reply to posts.
You cannot edit your posts.
You cannot delete your posts.
You cannot add new polls.
You cannot vote in polls.
You cannot attach files to posts.
You can post without approval.