 |
|
You are here: Foswiki>Support Web>SupportQuestions>Question771 (02 Aug 2011, CrawfordCurrie)Edit Attach
This question about Configuration: Answered
How to configure SafeWikiPlugin?
I installed and enabled SafeWikiPlugin, but then I started getting errors of this sort in the foswiki log file:2011-01-22T00:46:45Z warning | Parse loop not allowed at /www/w/lib/Foswiki/Plugins/SafeWikiPlugin/Parser.pm line 33. The browser reported errors about malformed and/or unclosed head elements.
I turned on both FilterAll and CheckPurity and didn't change any of the other defaults.
In particular I left UnsafeURI to be just [ ].
To get things working again, I had to both disable the plugin and turn off FilterAll and CheckPurity.
Can anyone offer advice?
-- FilSalustri - 22 Jan 2011
First thing to check is that HTML::Parser is up to date, because that is where the error is coming from. Perhaps your HTML is sick? (guess)
-- CrawfordCurrie - 15 Feb 2011
Didn't think of that. Will investigate and report back. Thanks for the idea.
-- FilSalustri - 15 Feb 2011
I updated HTML::Parser, and turned SafeWikiPlugin back on, with FilterAll and CheckPurity off.
It works, but: - I had to set {Validation}{Method} to "embedded" - using "strikeone" was causing a error, and
- I get an error in Security & Authentication > Environment saying Error: {AllowInlineScript} has been deprecated. Please use SafeWikiPlugin to remove potentially harmful topic content instead. However, I note that
AllowInlineScriptis NOT checked. Dunno what to do about that.
- I made sure NatEditPlugin was disabled
- I commented out AllowInlineScsript in lib/LocalSite.cfg
- I enabled SafeWikiPlugin
- validation method set to strikeone
- I then got a warning from SafeWikiPlugin (in configure) that AllowInlineScript was on.
- I un-checked AllowInlineScript in configure.
- Now there are 2 errors:
- Sessions > {validation}{method}: Validation method strikeone is not compatible with deprecated {AllowInlineScript} setting.
- Environment > {AllowInlineScript}: {AllowInlineScript} has been deprecated. Please use SafeWikiPlugin to remove potentially harmful topic content instead.
- I then disabled SafeWikiPlugin
- Still get the same 2 errors
- Back to configure, check AllowInlineScript again
- Errors gone.
{AllowInlineScript} is true, which allows topic contributors to embed arbitrary Javascript.
In the topic "Security and Authentication"-> "Environment" I disabled this setting and got the same 2 errors as Crawford.
I changed strikeone to embedded and could get rid one error. But the other error remains. I decided to change back the settings and ignore the warning at the plugin because it seems to me a false positive. The function of the plugin should make the deprecated setting obsolete, so it should not request it's usage.
-- MartinKedaj - 01 Jul 2011
Martin, right, AllowInlineScript is legacy. And it depends on how apache is configured whether a configure setting will "stick" the first time or not. If apache is configured to re-use processes (e.g. with mod_perl or fcgid) then you may have to restart the server.
The bottom line of all this is "if you are using SafeWikiPlugin, then set {Validation}{Method} to embedded and enable AllowInlineScript, right? The configure setup for SafeWikiPlugin checks this (as noted by Fil above_ so I guess we can call this "answered".
-- CrawfordCurrie - 02 Aug 2011
QuestionForm edit
| Subject | Configuration |
| Extension | SafeWikiPlugin |
| Version | Foswiki 1.1.2 |
| Status | Answered |
| Related Topics |
Edit | Attach | Print version | History: r8 < r7 < r6 < r5 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r8 - 02 Aug 2011, CrawfordCurrie
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy