aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess <joey@gnu.kitenet.net>2008-12-26 15:27:49 -0500
committerJoey Hess <joey@gnu.kitenet.net>2008-12-26 15:27:49 -0500
commitc2d2ff0199f16e028431cd83961b1bff5e2caa99 (patch)
tree7ef7176c62f19dc0fd5e3affaf6ffd1086b4e1f3
parentdbd95c67bc787e57063f58f7cf0472375d35cd75 (diff)
downloadikiwiki-c2d2ff0199f16e028431cd83961b1bff5e2caa99.tar
ikiwiki-c2d2ff0199f16e028431cd83961b1bff5e2caa99.tar.gz
deprecate embed plugin too
I see that this plugin's lists of safe content are already well out of date, and htmlscrubber_skip offers a non whitelist based approach, so let's deprecate this plugin for 3.0.
-rw-r--r--debian/changelog5
-rw-r--r--doc/plugins/embed.mdwn8
-rw-r--r--doc/plugins/htmlscrubber.mdwn8
-rw-r--r--doc/tips/embedding_content.mdwn35
-rw-r--r--doc/tips/upgrade_to_3.0.mdwn13
5 files changed, 61 insertions, 8 deletions
diff --git a/debian/changelog b/debian/changelog
index 9a96f7415..ddb979c31 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,7 +8,10 @@ ikiwiki (3.00) UNRELEASED; urgency=low
admin preferences into a setup file.
* prefix_directives and aggregate_internal are now turned on by default.
* ikiwiki-transition prefix_directives syntax changed
- * googlecalendar: removed this deprecated plugin. Use embed instead.
+ * googlecalendar: removed this deprecated plugin. Use htmlscrubber_skip
+ instead.
+ * embed: This plugin is deprecated, use htmlscrubber_skip instead.
+ Closes: ##462970.
* Version 3.00 of the plugin API.
-- Joey Hess <joeyh@debian.org> Wed, 24 Dec 2008 19:49:36 -0500
diff --git a/doc/plugins/embed.mdwn b/doc/plugins/embed.mdwn
index 1d43061e0..2baf07da5 100644
--- a/doc/plugins/embed.mdwn
+++ b/doc/plugins/embed.mdwn
@@ -13,6 +13,14 @@ In the examples below, the parts of the html that you can change are denoted
with "XXX"; everything else must appear exactly as shown to be accepted by the
plugin.
+*This plugin is deprecated.* Rather than relying on these complex lists
+of safe content, which constantly fall out of date, you're recommended to
+configure the [[htmlscrubber]] to not scrub some pages, which only trusted
+users can edit. Then you can embed anything from anywhere on those pages.
+See [[tips/embedding_content]] for details and examples.
+This plugin's lists of safe embedded content will not be maintained, and
+the plugin will be removed in a future release.
+
## google maps
Use html like this to embed a map:
diff --git a/doc/plugins/htmlscrubber.mdwn b/doc/plugins/htmlscrubber.mdwn
index b9f7e6d22..c59b46e14 100644
--- a/doc/plugins/htmlscrubber.mdwn
+++ b/doc/plugins/htmlscrubber.mdwn
@@ -32,10 +32,10 @@ other HTML-related functionality, such as whether [[meta]] allows
potentially unsafe HTML tags.
The `htmlscrubber_skip` configuration setting can be used to skip scrubbing
-of some pages. Set it to a [[ikiwiki/PageSpec]], such as "!*/Discussion", and pages
-matching that can have all the evil CSS, JavsScript, and unsafe html
-elements you like. One safe way to use this is to use [[lockedit]] to lock
-those pages, so only admins can edit them.
+of some pages. Set it to a [[ikiwiki/PageSpec]], such as "!*/Discussion",
+and pages matching that can have all the evil CSS, JavsScript, and unsafe
+html elements you like. One safe way to use this is to use [[lockedit]] to
+lock those pages, so only admins can edit them.
----
diff --git a/doc/tips/embedding_content.mdwn b/doc/tips/embedding_content.mdwn
new file mode 100644
index 000000000..666f4dab3
--- /dev/null
+++ b/doc/tips/embedding_content.mdwn
@@ -0,0 +1,35 @@
+Content from sites such as YouTube can be embedded into a web page. Maybe
+you want to do this. But you'll find that the [[plugins/htmlscrubber]]
+doesn't let you. It blocks the tags used to embed such content, because
+they can be abused in many evil ways.
+
+Some plugins have been written to try to work around this problem, by
+whitelisting the html needed to embed things from a few sites like Google
+calendar, videos, and YouTube. The problem with these plugins is that they
+have to be kept up to date to add new sites, and follow changes to the html
+such sites use for embedding.
+
+(Digression: The real problem with the plugins is that they hide the
+underlying trust relationship. If you decide to embed html from a site,
+you'd better trust that site. And if ikiwiki lets you enter such html, it
+needs to trust you.)
+
+The [[plugins/htmlscrubber]] offers a different way around this problem.
+You can configure it to skip scrubbing certian pages, so that content from
+elsewhere can be embedded on those pages. Then use [[plugins/lockedit]]
+to limit who can edit those unscrubbed pages.
+
+For example, suppose your blog is all under `blog/*`, and you want
+only yourself to be able to post there, and you'd like to be able to embed
+youtube videos etc in your blog. Other users can edit some pages in the
+wiki (Discussion pages, say), but not your blog posts. Then you could configure
+ikiwiki as follows:
+
+ htmlscrubber_skip => 'blog/* and !*/Discussion',
+ locked_pages => '!*/Discussion',
+
+More simply, you might want to allow yourself to embed content anywhere
+on the wiki, but scrub content written on Discussion pages:
+
+ htmlscrubber_skip => '!*/Discussion',
+ locked_pages => '!*/Discussion',
diff --git a/doc/tips/upgrade_to_3.0.mdwn b/doc/tips/upgrade_to_3.0.mdwn
index 3a515a61f..a9664dfc3 100644
--- a/doc/tips/upgrade_to_3.0.mdwn
+++ b/doc/tips/upgrade_to_3.0.mdwn
@@ -82,7 +82,14 @@ Otherwise, follow this procedure to upgrade a wiki using the aggregate plugin:
`ikiwiki-transition aggregateinternal your.setup`,
3. Refresh the wiki. (`ikiwiki -setup your.setup -refresh`)
-## googlecalendar
+## embed / googlecalendar
-This plugin has been deprecated for a long time, and is removed in 3.0. If
-your wiki used it, you should enable the [[plugins/embed]] plugin, instead.
+The googlecalendar plugin has been deprecated for a long time, and is
+removed in 3.0.
+
+The embed plugin is also now deprecated, though not yet removed.
+
+If you use either plugin to embed content from google, youtube, etc,
+into your wiki, you should instead configure the [[plugins/htmlscrubber]]
+to skip sanitising some pages, via the `htmlscrubber_skip` setting.
+See [[embedding_content]] for examples.