[pmwiki-users] Cookbook recipes and organization

Joachim Durchholz jo at durchholz.org
Sat Apr 16 08:48:23 CDT 2005 

Patrick R. Michaud wrote:
> On Sat, Apr 16, 2005 at 12:57:47PM +0200, Joachim Durchholz wrote:
> 
>> Made it into a wiki trail and added EnableHTML (which I have used 
>> to wikify some forms - actually that was the reason why I built 
>> EnableHTML in the first place *ggg*).
> 
> Actually EnableHTML is one of those recipes that got "promoted" from 
> a simple recipe into a more sophisticated one and losing the benefits
> of having the simple one.

Here are the decisions that led to increased sophistication:
1) I wanted to properly pass through tag attributes, particularly if 
attributes could contain strings with (in turn) HTML markup. Cleaning up 
that borderline case was important to me, simply to take PmWiki further 
into the direction of "rock-solid".
2) Regexes have never looked pretty, but the result looked outright 
scaring. So I moved the thing into a function and a recipe file, to put 
the gory details out of sight of the innocent.
3) Both versions of the recipe allowed passing through arbitrary 
attributes. This is quite dangerous (think style="..." with positioning 
that overlays the "edit" link, or onLoad="arbitrary JavaScript code"), 
so I amplified the scare warnings.

(3) would have been appropriate even if the recipe itself hadn't been 
changed.

----

The recipe could have been kept simple by splitting it in two:
a) Just allow through <b>, <i>, <u>, but no attributes. (Essentially a 
tone-down of the original recipe.) This would also have allowed to 
simplify the recipe by removing all the security-related warnings.
b) EnableHTML for those who need the full power of attributes and have 
the appropriate security policy in place. With an option for later 
adding code to filter not just tags but attributes as well.

I didn't regard the increased complexity as bad enough to warrant that 
move though. YMMV.

----

One aside note: EnableHTML became more sophisticated (though by a small 
amount). On the plus side, it's an extremely low-sophistication variant 
of all the forms recipes.

----

That all said, I'd be very interested in what made you think "ouch, 
EnableHTML become more sophisticated".
Increased installation burden?
Increase in documentation?
Both?
None of the above but something entirely different?


Regards,
Jo

More information about the pmwiki-users mailing list