Can't put HTML/JavaScript example code in the Wiki (even inside @@)

thp4

While writing a HOWTO for QtWebKit, I noticed that the wiki removes certain JavaScript-y content from my submissions - i.e. a script tag gets replaced with "[removed]". The same is true for dot innerHTML (I can't write it out, as it gets replaced even here in the forum).

Can you please leave content between at-at as-is or escape it so that its appearance on the wiki will be the same as in the source text between at-at, because this is usually what developers want :)

gurudutt

For security reason, our system try to change all possible executable codes on to some string or removes it.

thp4

[quote author="Gurudutt" date="1291292154"]For security reason, our system try to change all possible executable codes on to some string or removes it.[/quote]

Security? "You are doing it wrong.":http://bugreports.qt.nokia.com/browse/QTWEBSITE-113 (No offense :))

Just escape user input properly - that works and is secure. Also then, legitimate uses of JavaScript-like content won't be messed up, but just displayed as-is on the Forum and Wiki.

Usually, it's enough to escape the angle brackets (less-than and greater-than) and the ampersand.

xsacha

I think if you can change the javascript to '[removed]' you can also change it to something else that isn't harmful but keeps the original intent. I originally thought it was just in text but in code too? Why?

It's pretty bad to knock out javascript when a big part of this forum and wiki is about using javascript in QtQuick.

thp4

[quote author="xsacha" date="1291304330"]I think if you can change the javascript to '[removed]' you can also change it to something else that isn't harmful but keeps the original intent. I originally thought it was just in text but in code too? Why?

It's pretty bad to knock out javascript when a big part of this forum and wiki is about using javascript in QtQuick.[/quote]

If you just "htmlspecialchars" (or the equivalent of what language you use for your web stuff) the code parts and leave them otherwise untouched, this should work. No need to try to "detect" dangerous Javascript and hide it or replace it with something.

thp4

Any chance of getting this fixed? Or should I file a separate bug report / feature request?

gurudutt

[quote author="thp" date="1291394347"]Any chance of getting this fixed? Or should I file a separate bug report / feature request?[/quote]

I have created issue about it for rethinking things and the way we are handling this.
It may take some time to come back with fixe, since we have to decide it first and if decided something then implement it.