Item11251: TinyMCEPlugin does not work correct with SafeWikiPlugin enabled in FosWiki 1.1.3

-- HansHeider - 13 Nov 2011

Enabling the SafeWikiPlugin in Foswiki 1.1.3 results in the display of the error message "Unable to install TinyMCE: could not read "TINYMCEPLUGIN_INIT" from FoswikiTiny.init" every time one tries to edit a topic with the TinyMCEPlugin. Disabling the SafeWikiPlugin resolves the issue, but of course disables the protection offered by the SafeWikiPlugin.

According to a IRC chat with CDot: "bottom line is, there is a known problem with the TinyMCE editor when used with SafeWikiPlugin. At this time the only workaround is not to use one or other of the plugins".

-- HansHeider - 13 Nov 2011

The problem is that TinyMCEPlugin uses an inline <script>FoswikiTiny.init = { ... json ...};<script> to get settings out of Foswiki and into the TinyMCE editor.

One possible solution is to make the settings load via URL.

I've attached patches, which are also available on github at

• TinyMCEPlugin
• SafeWikiPlugin

-- PaulHarvey - 13 Nov 2011

We can't allow inline script in an SWP environment because anybody can use the ADDTOZONE or ADDTOHEAD macros to add arbitrary inline script to the head/script zones.

-- PaulHarvey - 13 Nov 2011

Right - and it's difficult to mark selected JS as "OK", because JS can be injected from a variety of sources.

On that note, it might be possible to distinguish between script injected using ADDTOHEAD and that injected using methods in the core. SWP could be trained to strip only script that comes from an "unsafe" source (c.f. tainted)

-- CrawfordCurrie - 28 Nov 2011

Commenting is disabled while not logged in

• TinyMCEPlugin.diff: TinyMCEPlugin.diff

• SafeWikiPlugin.diff: SafeWikiPlugin.diff

---

Version 2.0.0 works on trunk and Release01x01 with default configuration.

-- CrawfordCurrie - 05 Feb 2012