Item2305: Setting $Foswiki::cfg{AllowInlineScript} = 0 will kill strikeone

If you set {AllowInlineScript} = 0, this will make the renderer filter <literal> tags. Since this tag is used to protect URL parameters passed through the validate template, it will kill the strikeone confirmation screen.

The symptom is that when the user confirms strikeone, they get dumped into the login screen. If they log in, they get the old "incorrect parameters to save" message.

Really this setting needs to be killed off. If you need inline script filtering, you should use SafeWikiPlugin.

At the very least, we need a warning about the effects of this.

-- CrawfordCurrie - 29 Oct 2009

Warning text for {ValidationMethod}:

Error: Validation method strikeone is not compatible with {AllowInlineScript} set to disabled.

Warning text for {AllowInlineScript}:

{AllowInlineScript} must be enabled for your current {Validation}{Method} setting. Please consider SafeWikiPlugin as alternative means for restricting potentially harmful topic content.

I had a go at making Checkers for this. I agree that AllowInlineScript should be deprecated.

-- PaulHarvey - 02 Nov 2009

I agree.

And I may even say that the deprecation should be short.

It is the kind of feature that - if you remove it - no applications will stop working.

It is not like changing file formats or changing the TML or changing API or changing the definition of a long loved Macro.

The feature never really worked as a security feature. It's function is so limited that it is easier than easy to put JS in topics even with this feature enabled.

It would be better to remove it and put attention on getting the last glitches ironed out of SafeWikiPlugin.

Pseudo-security is dangerous because it lures people into believing that things are safe even when they are not.

-- KennethLavrsen - 02 Nov 2009

Changed status to "Being worked on" by Paul, since he's on the right track.

-- CrawfordCurrie - 02 Nov 2009

I would like to do more work on SafeWikiPlugin, but it's not something I have time to do for 1.0.8.

Perhaps we can leave things as they are for the next patch release and so drop this down to Normal?

-- PaulHarvey - 02 Nov 2009

Simply improving the help texts in configure will do fine for 1.0.8 since the default is that the {AllowInlineScript} is 1.

And we can close the bug report on this.

The deprecation should go in a feature proposal. Just in case.

-- KennethLavrsen - 04 Nov 2009

Done: Development.DeprecateAllowInlineScript

-- PaulHarvey - 05 Nov 2009

Re-opening

Paul forgot to add the new checkers to the MANIFEST so this fix is not in 1.0.8

And someone have changed the build script so it does not warn about files not in MANIFEST so I did not know until it was too late.

-- KennethLavrsen - 29 Nov 2009

Yikes. I should have caught that :-/ Updated MANIFEST.

For the next patch release, do we just kill this feature or keep the checkers?

-- PaulHarvey - 30 Nov 2009

Keep the checkers, please. {AllowInlineScript} is deprecated, not removed.

-- CrawfordCurrie - 30 Nov 2009

Item2429 is dealing with deprecating this for trunk/1.1. Set WaitingForRelease

-- PaulHarvey - 30 Nov 2009