Item11251: TinyMCEPlugin does not work correct with SafeWikiPlugin enabled in FosWiki 1.1.3
Priority: Normal
Current State: Closed
Released In: n/a
Target Release: patch
--
HansHeider - 13 Nov 2011
Enabling the
SafeWikiPlugin in Foswiki 1.1.3 results in the display of the error message "Unable to install
TinyMCE: could not read "TINYMCEPLUGIN_INIT" from
FoswikiTiny.init" every time one tries to edit a topic with the
TinyMCEPlugin.
Disabling the
SafeWikiPlugin resolves the issue, but of course disables the protection offered by the
SafeWikiPlugin.
According to a IRC chat with CDot: "bottom line is, there is a known problem with the
TinyMCE editor when used with
SafeWikiPlugin. At this time the only workaround is not to use one or other of the plugins".
--
HansHeider - 13 Nov 2011
The problem is that
TinyMCEPlugin uses an inline
<script>FoswikiTiny.init = { ... json ...};<script>
to get settings out of Foswiki and into the TinyMCE editor.
One possible solution is to make the settings load via URL.
I've attached patches, which are also available on github at
--
PaulHarvey - 13 Nov 2011
We can't allow inline script in an SWP environment because anybody can use the
ADDTOZONE or ADDTOHEAD macros to add arbitrary inline script to the head/script zones.
--
PaulHarvey - 13 Nov 2011
Right - and it's difficult to mark selected JS as "OK", because JS can be injected from a variety of sources.
On that note, it might be possible to distinguish between script injected using ADDTOHEAD and that injected using methods in the core. SWP could be trained to strip only script
that comes from an "unsafe" source (c.f. tainted)
--
CrawfordCurrie - 28 Nov 2011
Version 2.0.0 works on trunk and Release01x01 with default configuration.
--
CrawfordCurrie - 05 Feb 2012