deprecate embed plugin too
I see that this plugin's lists of safe content are already well out of date, and htmlscrubber_skip offers a non whitelist based approach, so let's deprecate this plugin for 3.0.master
parent
dbd95c67bc
commit
c2d2ff0199
|
@ -8,7 +8,10 @@ ikiwiki (3.00) UNRELEASED; urgency=low
|
||||||
admin preferences into a setup file.
|
admin preferences into a setup file.
|
||||||
* prefix_directives and aggregate_internal are now turned on by default.
|
* prefix_directives and aggregate_internal are now turned on by default.
|
||||||
* ikiwiki-transition prefix_directives syntax changed
|
* ikiwiki-transition prefix_directives syntax changed
|
||||||
* googlecalendar: removed this deprecated plugin. Use embed instead.
|
* googlecalendar: removed this deprecated plugin. Use htmlscrubber_skip
|
||||||
|
instead.
|
||||||
|
* embed: This plugin is deprecated, use htmlscrubber_skip instead.
|
||||||
|
Closes: ##462970.
|
||||||
* Version 3.00 of the plugin API.
|
* Version 3.00 of the plugin API.
|
||||||
|
|
||||||
-- Joey Hess <joeyh@debian.org> Wed, 24 Dec 2008 19:49:36 -0500
|
-- Joey Hess <joeyh@debian.org> Wed, 24 Dec 2008 19:49:36 -0500
|
||||||
|
|
|
@ -13,6 +13,14 @@ In the examples below, the parts of the html that you can change are denoted
|
||||||
with "XXX"; everything else must appear exactly as shown to be accepted by the
|
with "XXX"; everything else must appear exactly as shown to be accepted by the
|
||||||
plugin.
|
plugin.
|
||||||
|
|
||||||
|
*This plugin is deprecated.* Rather than relying on these complex lists
|
||||||
|
of safe content, which constantly fall out of date, you're recommended to
|
||||||
|
configure the [[htmlscrubber]] to not scrub some pages, which only trusted
|
||||||
|
users can edit. Then you can embed anything from anywhere on those pages.
|
||||||
|
See [[tips/embedding_content]] for details and examples.
|
||||||
|
This plugin's lists of safe embedded content will not be maintained, and
|
||||||
|
the plugin will be removed in a future release.
|
||||||
|
|
||||||
## google maps
|
## google maps
|
||||||
|
|
||||||
Use html like this to embed a map:
|
Use html like this to embed a map:
|
||||||
|
|
|
@ -32,10 +32,10 @@ other HTML-related functionality, such as whether [[meta]] allows
|
||||||
potentially unsafe HTML tags.
|
potentially unsafe HTML tags.
|
||||||
|
|
||||||
The `htmlscrubber_skip` configuration setting can be used to skip scrubbing
|
The `htmlscrubber_skip` configuration setting can be used to skip scrubbing
|
||||||
of some pages. Set it to a [[ikiwiki/PageSpec]], such as "!*/Discussion", and pages
|
of some pages. Set it to a [[ikiwiki/PageSpec]], such as "!*/Discussion",
|
||||||
matching that can have all the evil CSS, JavsScript, and unsafe html
|
and pages matching that can have all the evil CSS, JavsScript, and unsafe
|
||||||
elements you like. One safe way to use this is to use [[lockedit]] to lock
|
html elements you like. One safe way to use this is to use [[lockedit]] to
|
||||||
those pages, so only admins can edit them.
|
lock those pages, so only admins can edit them.
|
||||||
|
|
||||||
----
|
----
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
Content from sites such as YouTube can be embedded into a web page. Maybe
|
||||||
|
you want to do this. But you'll find that the [[plugins/htmlscrubber]]
|
||||||
|
doesn't let you. It blocks the tags used to embed such content, because
|
||||||
|
they can be abused in many evil ways.
|
||||||
|
|
||||||
|
Some plugins have been written to try to work around this problem, by
|
||||||
|
whitelisting the html needed to embed things from a few sites like Google
|
||||||
|
calendar, videos, and YouTube. The problem with these plugins is that they
|
||||||
|
have to be kept up to date to add new sites, and follow changes to the html
|
||||||
|
such sites use for embedding.
|
||||||
|
|
||||||
|
(Digression: The real problem with the plugins is that they hide the
|
||||||
|
underlying trust relationship. If you decide to embed html from a site,
|
||||||
|
you'd better trust that site. And if ikiwiki lets you enter such html, it
|
||||||
|
needs to trust you.)
|
||||||
|
|
||||||
|
The [[plugins/htmlscrubber]] offers a different way around this problem.
|
||||||
|
You can configure it to skip scrubbing certian pages, so that content from
|
||||||
|
elsewhere can be embedded on those pages. Then use [[plugins/lockedit]]
|
||||||
|
to limit who can edit those unscrubbed pages.
|
||||||
|
|
||||||
|
For example, suppose your blog is all under `blog/*`, and you want
|
||||||
|
only yourself to be able to post there, and you'd like to be able to embed
|
||||||
|
youtube videos etc in your blog. Other users can edit some pages in the
|
||||||
|
wiki (Discussion pages, say), but not your blog posts. Then you could configure
|
||||||
|
ikiwiki as follows:
|
||||||
|
|
||||||
|
htmlscrubber_skip => 'blog/* and !*/Discussion',
|
||||||
|
locked_pages => '!*/Discussion',
|
||||||
|
|
||||||
|
More simply, you might want to allow yourself to embed content anywhere
|
||||||
|
on the wiki, but scrub content written on Discussion pages:
|
||||||
|
|
||||||
|
htmlscrubber_skip => '!*/Discussion',
|
||||||
|
locked_pages => '!*/Discussion',
|
|
@ -82,7 +82,14 @@ Otherwise, follow this procedure to upgrade a wiki using the aggregate plugin:
|
||||||
`ikiwiki-transition aggregateinternal your.setup`,
|
`ikiwiki-transition aggregateinternal your.setup`,
|
||||||
3. Refresh the wiki. (`ikiwiki -setup your.setup -refresh`)
|
3. Refresh the wiki. (`ikiwiki -setup your.setup -refresh`)
|
||||||
|
|
||||||
## googlecalendar
|
## embed / googlecalendar
|
||||||
|
|
||||||
This plugin has been deprecated for a long time, and is removed in 3.0. If
|
The googlecalendar plugin has been deprecated for a long time, and is
|
||||||
your wiki used it, you should enable the [[plugins/embed]] plugin, instead.
|
removed in 3.0.
|
||||||
|
|
||||||
|
The embed plugin is also now deprecated, though not yet removed.
|
||||||
|
|
||||||
|
If you use either plugin to embed content from google, youtube, etc,
|
||||||
|
into your wiki, you should instead configure the [[plugins/htmlscrubber]]
|
||||||
|
to skip sanitising some pages, via the `htmlscrubber_skip` setting.
|
||||||
|
See [[embedding_content]] for examples.
|
||||||
|
|
Loading…
Reference in New Issue