[xwiki-devs] [Proposal] How about extending EscapeTool to add XWiki 1.0 and 2.0 escaping? Re: [xwiki-users] XWiki/1.0 and XWiki/2.0 escaping
13 Jun
2010
13 Jun
'10
11:51 a.m.
Right now $escapetool is included via velocity configuration.
I don't see any reason why we couldn't change to a VelocityContextInitializer
which adds an extension of escapetool which has:
$escapetool.xwiki1(String)
$escapetool.xwiki2(String)
Although it would be cleaner I'm resistant to:
$escapetool.xwiki.syntax20(String)
or the like because vulnerability is easier than security so we should
make security as easy (to type) as possible.
I'm not sure when I'll have time to do this but I don't think it'd take
more
than a few hours.
WDYT?
Caleb
Marius Dumitru Florea wrote:
On 06/13/2010 11:43 AM, Marius Dumitru Florea wrote:
On 06/12/2010 04:26 PM, Ivan Levashew wrote:
> Hello!
>
> Yet another problem I'm encountering is lack of
> proper escaping tools. I have noticed it when I
> decided to use [ and ] in page titles.
> «My Recent Modifications» became broken because
> XWiki parsed [ and ]. Currently I have added
> {pre} and {/pre} at both ends, but it is just a
> krunch. What is the proper way? I have checked
> $escapetool and $xwiki.get*Encoded APIs. There is
> no common API to escape [, ], =, {, etc.
You haven't checked
http://platform.xwiki.org/xwiki/bin/view/Main/XWikiSyntax#HEscapes ;)
This doesn't fix your problem. What about
http://platform.xwiki.org/xwiki/bin/download/DevGuide/API/xwiki-core-2.3.1-…
?
Hope this helps,
Marius
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users 
13 Jun
13 Jun
11:55 a.m.
Good idea. These methods should have been there from the very beginning IMO.
Alex
On 06/13/2010 11:51 AM, Caleb James DeLisle wrote:
Right now $escapetool is included via velocity
configuration.
I don't see any reason why we couldn't change to a VelocityContextInitializer
which adds an extension of escapetool which has:
$escapetool.xwiki1(String)
$escapetool.xwiki2(String)
Although it would be cleaner I'm resistant to:
$escapetool.xwiki.syntax20(String)
or the like because vulnerability is easier than security so we should
make security as easy (to type) as possible.
I'm not sure when I'll have time to do this but I don't think it'd take
more
than a few hours.
WDYT?
Caleb
Marius Dumitru Florea wrote:
On 06/13/2010 11:43 AM, Marius Dumitru Florea
wrote:
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs On 06/12/2010 04:26 PM, Ivan Levashew wrote:
> Hello!
>
> Yet another problem I'm encountering is lack of
> proper escaping tools. I have noticed it when I
> decided to use [ and ] in page titles.
> «My Recent Modifications» became broken because
> XWiki parsed [ and ]. Currently I have added
> {pre} and {/pre} at both ends, but it is just a
> krunch. What is the proper way? I have checked
> $escapetool and $xwiki.get*Encoded APIs. There is
> no common API to escape [, ], =, {, etc.
You haven't checked
http://platform.xwiki.org/xwiki/bin/view/Main/XWikiSyntax#HEscapes ;)
This doesn't fix your problem. What about
http://platform.xwiki.org/xwiki/bin/download/DevGuide/API/xwiki-core-2.3.1-…
?
Hope this helps,
Marius
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users 
12:39 p.m.
+1
Thanks,
Marius
On 06/13/2010 12:51 PM, Caleb James DeLisle wrote:
Right now $escapetool is included via velocity
configuration.
I don't see any reason why we couldn't change to a VelocityContextInitializer
which adds an extension of escapetool which has:
$escapetool.xwiki1(String)
$escapetool.xwiki2(String)
Although it would be cleaner I'm resistant to:
$escapetool.xwiki.syntax20(String)
or the like because vulnerability is easier than security so we should
make security as easy (to type) as possible.
I'm not sure when I'll have time to do this but I don't think it'd take
more
than a few hours.
WDYT?
Caleb
Marius Dumitru Florea wrote:
On 06/13/2010 11:43 AM, Marius Dumitru Florea
wrote:
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs On 06/12/2010 04:26 PM, Ivan Levashew wrote:
> Hello!
>
> Yet another problem I'm encountering is lack of
> proper escaping tools. I have noticed it when I
> decided to use [ and ] in page titles.
> «My Recent Modifications» became broken because
> XWiki parsed [ and ]. Currently I have added
> {pre} and {/pre} at both ends, but it is just a
> krunch. What is the proper way? I have checked
> $escapetool and $xwiki.get*Encoded APIs. There is
> no common API to escape [, ], =, {, etc.
You haven't checked
http://platform.xwiki.org/xwiki/bin/view/Main/XWikiSyntax#HEscapes ;)
This doesn't fix your problem. What about
http://platform.xwiki.org/xwiki/bin/download/DevGuide/API/xwiki-core-2.3.1-…
?
Hope this helps,
Marius
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users 
3:31 p.m.
New subject: [xwiki-devs] [Proposal] How about extending EscapeTool to add XWiki 1.0 and 2.0 escaping? Re: [xwiki-users] XWiki/1.0 and XWiki/2.0 escaping
On Jun 13, 2010, at 11:51 AM, Caleb James DeLisle wrote:
Right now $escapetool is included via velocity
configuration.
I don't see any reason why we couldn't change to a VelocityContextInitializer
which adds an extension of escapetool which has:
$escapetool.xwiki1(String)
$escapetool.xwiki2(String)
I'm not sure it has to do with escapetool (at least for xwiki/2.0 and other new
rendering syntaxes). I think it has more to do with the rendering module since it's
the rendering module which defines the escaping rules (for xwiki/2.0 and other syntaxes,
except for syntax 1.0 which is in the old rendering). In addition it would need to be
generic, something like $services.rendering.escape(text, syntax)
BTW I haven't followed this thread but what are the needs? It sounds a bit strange to
have to output wiki syntax through velocity.
Thanks
-Vincent
Although it would be cleaner I'm resistant to:
$escapetool.xwiki.syntax20(String)
or the like because vulnerability is easier than security so we should
make security as easy (to type) as possible.
I'm not sure when I'll have time to do this but I don't think it'd take
more
than a few hours.
WDYT?
Caleb
Marius Dumitru Florea wrote:
On 06/13/2010 11:43 AM, Marius Dumitru Florea
wrote:
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs On 06/12/2010 04:26 PM, Ivan Levashew wrote:
> Hello!
>
> Yet another problem I'm encountering is lack of
> proper escaping tools. I have noticed it when I
> decided to use [ and ] in page titles.
> «My Recent Modifications» became broken because
> XWiki parsed [ and ]. Currently I have added
> {pre} and {/pre} at both ends, but it is just a
> krunch. What is the proper way? I have checked
> $escapetool and $xwiki.get*Encoded APIs. There is
> no common API to escape [, ], =, {, etc.
You haven't checked
http://platform.xwiki.org/xwiki/bin/view/Main/XWikiSyntax#HEscapes ;)
This doesn't fix your problem. What about
http://platform.xwiki.org/xwiki/bin/download/DevGuide/API/xwiki-core-2.3.1-…
?
Hope this helps,
Marius
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
3:59 p.m.
New subject: [xwiki-devs] [Proposal] How about extending EscapeTool to add XWiki 1.0 and 2.0 escaping? Re: [xwiki-users] XWiki/1.0 and XWiki/2.0 escaping
Vincent Massol wrote:
On Jun 13, 2010, at 11:51 AM, Caleb James DeLisle
wrote:
$services.rendering.escape(text, syntax)
I agree with the idea of generic but too much typing and nobody will ever use it, opting
to be insecure instead.
Also I'm -.5 to the idea if it means separating it from the other functions of
escapetool.
Right now $escapetool is included via velocity
configuration.
I don't see any reason why we couldn't change to a VelocityContextInitializer
which adds an extension of escapetool which has:
$escapetool.xwiki1(String)
$escapetool.xwiki2(String)
I'm not sure it has to do with escapetool (at least for xwiki/2.0 and other new
rendering syntaxes). I think it has more to do with the rendering module since it's
the rendering module which defines the escaping rules (for xwiki/2.0 and other syntaxes,
except for syntax 1.0 which is in the old rendering). In addition it would need to be
generic, something like
BTW I haven't followed this thread but what are the needs? It sounds a bit strange to
have to output wiki syntax through velocity.
People want user supplied content to be spliced into a page without effecting the wiki
output.
We use escapetool to escape XML and URLs. this would just add more features to it.
Another need is to make escapetool.xml escape { so that user content cannot jailbreak an
html macro.
Thanks
-Vincent
Although it would be cleaner I'm resistant
to:
$escapetool.xwiki.syntax20(String)
or the like because vulnerability is easier than security so we should
make security as easy (to type) as possible.
I'm not sure when I'll have time to do this but I don't think it'd take
more
than a few hours.
WDYT?
Caleb
Marius Dumitru Florea wrote:
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
On 06/13/2010 11:43 AM, Marius Dumitru Florea
wrote:
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs On 06/12/2010 04:26 PM, Ivan Levashew wrote:
> Hello!
>
> Yet another problem I'm encountering is lack of
> proper escaping tools. I have noticed it when I
> decided to use [ and ] in page titles.
> «My Recent Modifications» became broken because
> XWiki parsed [ and ]. Currently I have added
> {pre} and {/pre} at both ends, but it is just a
> krunch. What is the proper way? I have checked
> $escapetool and $xwiki.get*Encoded APIs. There is
> no common API to escape [, ], =, {, etc.
You haven't checked
http://platform.xwiki.org/xwiki/bin/view/Main/XWikiSyntax#HEscapes ;)
This
doesn't fix your problem. What about
http://platform.xwiki.org/xwiki/bin/download/DevGuide/API/xwiki-core-2.3.1-…
?
Hope this helps,
Marius
> _______________________________________________
> users mailing list
> users(a)xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users 
14 Jun
14 Jun
10:52 a.m.
New subject: [xwiki-devs] [Proposal] How about extending EscapeTool to add XWiki 1.0 and 2.0 escaping? Re: [xwiki-users] XWiki/1.0 and XWiki/2.0 escaping
On Sun, Jun 13, 2010 at 11:51, Caleb James DeLisle
<calebdelisle(a)lavabit.com> wrote:
Right now $escapetool is included via velocity
configuration.
I don't see any reason why we couldn't change to a VelocityContextInitializer
which adds an extension of escapetool which has:
$escapetool.xwiki1(String)
$escapetool.xwiki2(String)
Although it would be cleaner I'm resistant to:
$escapetool.xwiki.syntax20(String)
or the like because vulnerability is easier than security so we should
make security as easy (to type) as possible.
I'm not sure when I'll have time to do this but I don't think it'd take
more
than a few hours.
WDYT?
$escapetool.xwiki2(String) is pretty easy to do but
$escapetool.xwiki1(String) is almost impossible (which is one of the
many reason for having the new rendering system and syntax)
But here is my +1 for the general principal.
We would also have
$escapetool.syntax(String content, Syntax syntaxId)
that would support any provided syntax that implements a proper
Renderer. $escapetool.xwiki2(String) could still be a shortcut for the
same thing since as you said it should be as easy as possible to call
it.
Caleb
Marius Dumitru Florea wrote:
--
Thomas Mortagne
On 06/13/2010 11:43 AM, Marius Dumitru Florea
wrote:
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
On 06/12/2010 04:26 PM, Ivan Levashew wrote:
> Hello!
>
> Yet another problem I'm encountering is lack of
> proper escaping tools. I have noticed it when I
> decided to use [ and ] in page titles.
> «My Recent Modifications» became broken because
> XWiki parsed [ and ]. Currently I have added
> {pre} and {/pre} at both ends, but it is just a
> krunch. What is the proper way? I have checked
> $escapetool and $xwiki.get*Encoded APIs. There is
> no common API to escape [, ], =, {, etc.
You haven't checked
http://platform.xwiki.org/xwiki/bin/view/Main/XWikiSyntax#HEscapes ;)
This doesn't fix your problem. What about
http://platform.xwiki.org/xwiki/bin/download/DevGuide/API/xwiki-core-2.3.1-…
?
Hope this helps,
Marius
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
11:33 a.m.
New subject: [xwiki-devs] [xwiki-users] [Proposal] How about extending EscapeTool to add XWiki 1.0 and 2.0 escaping? Re: XWiki/1.0 and XWiki/2.0 escaping
Thomas Mortagne wrote:
On Sun, Jun 13, 2010 at 11:51, Caleb James DeLisle
<calebdelisle(a)lavabit.com> wrote:
I imagined it would be like: "{{{" + string.replaceAll("}}}",
"~}~}~}") + "}}}"
Right now $escapetool is included via velocity
configuration.
I don't see any reason why we couldn't change to a VelocityContextInitializer
which adds an extension of escapetool which has:
$escapetool.xwiki1(String)
$escapetool.xwiki2(String)
Although it would be cleaner I'm resistant to:
$escapetool.xwiki.syntax20(String)
or the like because vulnerability is easier than security so we should
make security as easy (to type) as possible.
I'm not sure when I'll have time to do this but I don't think it'd take
more
than a few hours.
WDYT?
$escapetool.xwiki2(String) is pretty easy to do but $escapetool.xwiki1(String) is almost impossible (which
is one of the
many reason for having the new rendering system and syntax)
Hmm, how about xml escaping any character which is used in syntax1.0 formatting?
But here is my +1 for the general principal.
We would also have
$escapetool.syntax(String content, Syntax syntaxId)
that would support any provided syntax that implements a proper
Renderer.
+1 for the idea, how do we get at the Syntax object in velocity?
Maybe: $escapetool.syntax(String content, String syntaxId) is more realistic.
$escapetool.xwiki2(String) could still be a shortcut
for the
same thing since as you said it should be as easy as possible to call
it.
My thinking exactly.
Caleb
Marius Dumitru Florea wrote:
On 06/13/2010 11:43 AM, Marius Dumitru Florea
wrote:
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
On 06/12/2010 04:26 PM, Ivan Levashew wrote:
> Hello!
>
> Yet another problem I'm encountering is lack of
> proper escaping tools. I have noticed it when I
> decided to use [ and ] in page titles.
> «My Recent Modifications» became broken because
> XWiki parsed [ and ]. Currently I have added
> {pre} and {/pre} at both ends, but it is just a
> krunch. What is the proper way? I have checked
> $escapetool and $xwiki.get*Encoded APIs. There is
> no common API to escape [, ], =, {, etc.
You haven't checked
http://platform.xwiki.org/xwiki/bin/view/Main/XWikiSyntax#HEscapes ;)
This
doesn't fix your problem. What about
http://platform.xwiki.org/xwiki/bin/download/DevGuide/API/xwiki-core-2.3.1-…
?
Hope this helps,
Marius
> _______________________________________________
> users mailing list
> users(a)xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
11:27 a.m.
New subject: [xwiki-devs] [xwiki-users] [Proposal] How about extending EscapeTool to add XWiki 1.0 and 2.0 escaping? Re: XWiki/1.0 and XWiki/2.0 escaping
On Mon, Jun 14, 2010 at 11:33, Caleb James DeLisle
<calebdelisle(a)lavabit.com> wrote:
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Thomas Mortagne
Thomas Mortagne wrote:
No, nothing like that: you parse it with plain/1.0 parser and render
it with xwiki/2.0 renderer (or any other syntax providing a renderer
in which you want to escape it).
On Sun, Jun 13, 2010 at 11:51, Caleb James
DeLisle
<calebdelisle(a)lavabit.com> wrote:
I imagined it would be like: "{{{" + string.replaceAll("}}}",
"~}~}~}") + "}}}" Right now $escapetool is included via velocity
configuration.
I don't see any reason why we couldn't change to a VelocityContextInitializer
which adds an extension of escapetool which has:
$escapetool.xwiki1(String)
$escapetool.xwiki2(String)
Although it would be cleaner I'm resistant to:
$escapetool.xwiki.syntax20(String)
or the like because vulnerability is easier than security so we should
make security as easy (to type) as possible.
I'm not sure when I'll have time to do this but I don't think it'd take
more
than a few hours.
WDYT?
$escapetool.xwiki2(String) is pretty easy to do but $escapetool.xwiki1(String) is almost impossible
(which is one of the
many reason for having the new rendering system and syntax)
Hmm, how about xml escaping any character which is used in syntax1.0 formatting?
But here is my +1 for the general principal.
We would also have
$escapetool.syntax(String content, Syntax syntaxId)
that would support any provided syntax that implements a proper
Renderer.
+1 for the idea, how do we get at the Syntax object in velocity?
Maybe: $escapetool.syntax(String content, String syntaxId) is more realistic.
$escapetool.xwiki2(String) could still be a
shortcut for the
same thing since as you said it should be as easy as possible to call
it.
My thinking exactly.
Caleb
Marius Dumitru Florea wrote:
On 06/13/2010 11:43 AM, Marius Dumitru Florea
wrote:
> On 06/12/2010 04:26 PM, Ivan Levashew wrote:
>> Hello!
>>
>> Yet another problem I'm encountering is lack of
>> proper escaping tools. I have noticed it when I
>> decided to use [ and ] in page titles.
>> «My Recent Modifications» became broken because
>> XWiki parsed [ and ]. Currently I have added
>> {pre} and {/pre} at both ends, but it is just a
>> krunch. What is the proper way? I have checked
>> $escapetool and $xwiki.get*Encoded APIs. There is
>> no common API to escape [, ], =, {, etc.
> You haven't checked
> http://platform.xwiki.org/xwiki/bin/view/Main/XWikiSyntax#HEscapes ;)
This doesn't fix your problem. What about
http://platform.xwiki.org/xwiki/bin/download/DevGuide/API/xwiki-core-2.3.1-…
?
> Hope this helps,
> Marius
>
>> _______________________________________________
>> users mailing list
>> users(a)xwiki.org
>> http://lists.xwiki.org/mailman/listinfo/users
> _______________________________________________
> users mailing list
> users(a)xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
5618
days inactive
5619
days old
7 comments
5 participants
participants (5)
-
Alex Busenius -
Caleb James DeLisle -
Marius Dumitru Florea -
Thomas Mortagne -
Vincent Massol