Comments on: Need a Standard Wiki Syntax? Try HTML http://www.symphonious.net/2007/01/27/need-a-standard-wiki-syntax-try-html/ Living in a state of accord. Sun, 23 Nov 2008 14:21:22 +0000 http://wordpress.org/?v=2.6.3 By: Symphonious » Wiki Advice Round Up http://www.symphonious.net/2007/01/27/need-a-standard-wiki-syntax-try-html/#comment-113985 Symphonious » Wiki Advice Round Up Mon, 24 Sep 2007 07:17:12 +0000 http://www.symphonious.net/2007/01/27/need-a-standard-wiki-syntax-try-html/#comment-113985 [...] Wiki syntax is the other big bit of legacy cruft - it's probably the biggest barrier to wiki adoption now and wiki creators are all scrambling to add WYSIWYG editors instead but many are struggling to make it all work because wiki markup is so non-standard. Should have used HTML instead… [...] [...] Wiki syntax is the other big bit of legacy cruft - it's probably the biggest barrier to wiki adoption now and wiki creators are all scrambling to add WYSIWYG editors instead but many are struggling to make it all work because wiki markup is so non-standard. Should have used HTML instead… [...]

]]> By: Mindquarry Blog http://www.symphonious.net/2007/01/27/need-a-standard-wiki-syntax-try-html/#comment-57118 Mindquarry Blog Tue, 06 Feb 2007 15:01:49 +0000 http://www.symphonious.net/2007/01/27/need-a-standard-wiki-syntax-try-html/#comment-57118 <strong>Wikis are web pages (editable)...</strong> What is the distincive feature about Wikis? Is it Wiki an online encyclopedia, a site that uses Wiki markup, or a website that is editable by everyone?  I think the main distinctive trait of Wikis is easy editing. Wikis are webpages that are eas... Wikis are web pages (editable)…

What is the distincive feature about Wikis? Is it Wiki an online encyclopedia, a site that uses Wiki markup, or a website that is editable by everyone?  I think the main distinctive trait of Wikis is easy editing. Wikis are webpages that are eas…

]]> By: Adrian Sutton http://www.symphonious.net/2007/01/27/need-a-standard-wiki-syntax-try-html/#comment-55430 Adrian Sutton Tue, 30 Jan 2007 02:22:33 +0000 http://www.symphonious.net/2007/01/27/need-a-standard-wiki-syntax-try-html/#comment-55430 Except that the amount of effort required to create a WYSIWYG editor of a suitable quality is huge and it's not worth doing that for every single different wiki syntax. Besides which, that doesn't solve the problem of being locked into a particular wiki because of it's specific syntax. Except that the amount of effort required to create a WYSIWYG editor of a suitable quality is huge and it’s not worth doing that for every single different wiki syntax. Besides which, that doesn’t solve the problem of being locked into a particular wiki because of it’s specific syntax.

]]> By: Niall http://www.symphonious.net/2007/01/27/need-a-standard-wiki-syntax-try-html/#comment-55411 Niall Mon, 29 Jan 2007 23:47:59 +0000 http://www.symphonious.net/2007/01/27/need-a-standard-wiki-syntax-try-html/#comment-55411 ...or maybe the alternative is for the wiki to provide a WYSIWYG editor for their syntax. …or maybe the alternative is for the wiki to provide a WYSIWYG editor for their syntax.

]]> By: Adrian Sutton http://www.symphonious.net/2007/01/27/need-a-standard-wiki-syntax-try-html/#comment-54988 Adrian Sutton Sat, 27 Jan 2007 20:56:26 +0000 http://www.symphonious.net/2007/01/27/need-a-standard-wiki-syntax-try-html/#comment-54988 Simon, All the problems with filtering HTML also apply to RSS, Atom etc so it's a well defined and solved problem, you just need to look up the right answers. Whitelisting is the answer and makes it quite simple - plus with a WYSIWYG editor, it should be transparent to users because the editor wouldn't add any markup that is allowed. The cleaning of course still occurs server side for security, just that users who use the WYSIWYG editor won't have any of their content changed. Secondly, these problems only apply to publicly editable wikis. While the most visible use of wikis are the public facing ones, there are actually a vast number of wikis which are internal to organizations and thus have a trusted set of users. If any of your employees add XSS attacks, you fire them and it doesn't happen again. Simon,
All the problems with filtering HTML also apply to RSS, Atom etc so it’s a well defined and solved problem, you just need to look up the right answers. Whitelisting is the answer and makes it quite simple - plus with a WYSIWYG editor, it should be transparent to users because the editor wouldn’t add any markup that is allowed. The cleaning of course still occurs server side for security, just that users who use the WYSIWYG editor won’t have any of their content changed.

Secondly, these problems only apply to publicly editable wikis. While the most visible use of wikis are the public facing ones, there are actually a vast number of wikis which are internal to organizations and thus have a trusted set of users. If any of your employees add XSS attacks, you fire them and it doesn’t happen again.

]]> By: Simon Willison http://www.symphonious.net/2007/01/27/need-a-standard-wiki-syntax-try-html/#comment-54930 Simon Willison Sat, 27 Jan 2007 15:25:06 +0000 http://www.symphonious.net/2007/01/27/need-a-standard-wiki-syntax-try-html/#comment-54930 Just read your previous entry in which you address those issues (a WYSIWYG editor and Tidy-based filtering). I think it's very easy to underestimate the size of the XSS problem - for example, filtering javascript: links isn't enough - you alse need to filter vbscript: and jscript: and a whole bunch of other weird variations. You need to use whitelisting rather than blacklisting, but you still need to know about the weird undocumented features of various browsers (LiveJournal had an XSS in Firefox a while back because they allowed CSS, and Firefox CSS can embed XBL files which are executable code). Just read your previous entry in which you address those issues (a WYSIWYG editor and Tidy-based filtering). I think it’s very easy to underestimate the size of the XSS problem - for example, filtering javascript: links isn’t enough - you alse need to filter vbscript: and jscript: and a whole bunch of other weird variations. You need to use whitelisting rather than blacklisting, but you still need to know about the weird undocumented features of various browsers (LiveJournal had an XSS in Firefox a while back because they allowed CSS, and Firefox CSS can embed XBL files which are executable code).

]]> By: Simon Willison http://www.symphonious.net/2007/01/27/need-a-standard-wiki-syntax-try-html/#comment-54925 Simon Willison Sat, 27 Jan 2007 14:47:47 +0000 http://www.symphonious.net/2007/01/27/need-a-standard-wiki-syntax-try-html/#comment-54925 Using HTML has a couple of disadvantages. The first is that it's more work than most wiki markups - manually adding p tags to every paragraph for tomorrow is just enough effort to make the tool stop being transparent (you have to think about how you're editing the wiki, not just what you're editing). More importantly, safely enabling HTML is actually a surprisingly trick problem. You have to defend against a myriad of nasty tricks for embedding XSS attacks, as well as making sure people can't break your site's layout. MySpace have had an enormous number of security problems as a direct result of letting people use HTML directly. Using HTML has a couple of disadvantages. The first is that it’s more work than most wiki markups - manually adding p tags to every paragraph for tomorrow is just enough effort to make the tool stop being transparent (you have to think about how you’re editing the wiki, not just what you’re editing). More importantly, safely enabling HTML is actually a surprisingly trick problem. You have to defend against a myriad of nasty tricks for embedding XSS attacks, as well as making sure people can’t break your site’s layout. MySpace have had an enormous number of security problems as a direct result of letting people use HTML directly.

]]>