[pmwiki-users] CSS for one (or all) tag in _a single_ page (inline or in head)

Thu Aug 24 13:11:46 CDT 2006

On Thu, Aug 24, 2006 at 10:57:41AM -0700, Andrew Standfield wrote:
> >So, for example, if (:stylepage:) were limited to including pages
> >from the Site group, then it's much safer because edit access to
> >Site.* pages is usually well protected.
> 
> Excellent point. That would also be much easier to do...
> 
> /me glances at Hans hoping he'll implement that...

Well, I'm also thinking that with a bit of tweaking it might
be possible to have the (:stylepage:) markup generate

    <link rel='stylesheet' href='{$PageUrl}?action=source' type='text/css' />

tags instead of directly including the CSS into the page output.
This would make it possible for browsers to cache the shared stylesheet,
as well as potentially reduce the overall bandwidth to the site.

There are two problems with this approach, however:
   1. ?action=source returns "Content-Type: text/plain", so we'd
      need some way of switching that to be text/css when appropriate.
   2. The site has to have $EnableIMSCaching enabled, otherwise
      every page request results in additional calls to retrieve
      the CSS page, which is actually *more* bandwidth and slower.

Another possibility is for the (:stylesheet:) markup to generate
tags like

    <link rel='stylesheet' href='{$PubDirUrl}/cache/{$FullName}.css' type='text/css' />

and have the stylesheet data copied from the referenced page into a
public cache file that is automatically updated whenever we
detect that the stylesheet page has changed.  This could reduce 
bandwidth a lot.

Pm

> On Aug 24, 2006, at 10:52 AM, Patrick R. Michaud wrote:
> 
> >On Thu, Aug 24, 2006 at 10:45:52AM -0700, Andrew Standfield wrote:
> >>I don't think there's any more chance of malicious authors doing bad
> >>things with css then there is with allowing *any* form of markup.
> >
> >PmWiki's existing markups are fairly limited in terms of what
> >can be done -- i.e., it's difficult for an author to perform
> >a cross-site scripting attack using PmWiki's existing markups.
> >
> >However, if an author can generate arbitrary CSS, then cross-site
> >attacks become much more possible.
> >
> >>I think a bigger issue would be novices to CSS creating unstable
> >>style sheets. I've actually tried to think of ways to combat that or
> >>if you just want for the admin to be able to include styles. It would
> >>be interesting to require some kind of password for the (:stylepage:)
> >>directive.
> >
> >That's a bit backwards -- the trick isn't to password protect
> >the stylepage directive, but to password-protect whatever it
> >includes.  (Stated slightly differently:  password-protection of
> >the directive doesn't prevent someone from editing the page
> >it's including.)
> >
> >So, for example, if (:stylepage:) were limited to including pages
> >from the Site group, then it's much safer because edit access to
> >Site.* pages is usually well protected.
> >
> >Pm
> >
> >
> >
> >>On Aug 24, 2006, at 10:31 AM, Patrick R. Michaud wrote:
> >>
> >>>On Thu, Aug 24, 2006 at 10:26:02AM -0700, Andrew Standfield wrote:
> >>>>Clemens,
> >>>>
> >>>>I think what you may want is the stylepage.php solution by Hans.  
> >>>>You
> >>>>can find it near the bottom of the CSS in Wiki Pages Recipe:  
> >>>>http://
> >>>>pmwiki.org/wiki/Cookbook/CSSInWikiPages
> >>>>
> >>>>After installing, it allows you to make a wiki page that you put
> >>>>standard CSS declarations in. You can then call it from any other
> >>>>page using (:stylepage Group.ExamplePage:).
> >>>
> >>>I hadn't noticed this particular recipe -- it's excellent.
> >>>
> >>>So far I've been reluctant to allow any sort of direct CSS
> >>>modification through pages because it might make it possible
> >>>for malicious authors to do bad things to the site.  But having
> >>>an administrative CSS-via-wiki-page option seems like it could
> >>>be worthwhile.
> >>>
> >>>I'd love to hear others' opinions about this.
> >>>
> >>>Pm
> >>>
> >>
> >>
> 
> 