[Satisfaction]: Is Javascript supported in PBwiki 2.0?

RE: Is Javascript supported in PBwiki 2.0?

Wed, 30 Apr 2008 13:42:47 -0000

I tried adding jiglu to http://macewan.pbwiki.com , but it doesn't seem to know how to index PBwiki pages very well.

RE: Is Javascript supported in PBwiki 2.0?

Wed, 30 Apr 2008 13:14:30 -0000

i bumped into jiglu.com - they have a great tags-that-think tool
it uses a oneliner javascript
is it possible to validate a library of validated javascripts like jiglu's ?
best regards, Ron

RE: Is Javascript supported in PBwiki 2.0?

Thu, 27 Mar 2008 16:57:01 -0000

Well, anybody inserting script would still be somebody logged into the wiki, so assuming you have pretty exclusive membership in your wiki, it'd be pretty close to what you are looking for.

RE: Is Javascript supported in PBwiki 2.0?

Thu, 27 Mar 2008 10:54:05 -0000

Hi mark,

Thanks for the explanation. Makes more sense to me now. Guy's suggestion would be good but I do think such priviliges should be restricted as mentioned by Guy and David below. Not sure if I like the idea of 'Tomfoolery mode' where anybody can insert script. It would be cool if you did call it Tomfoolery mode though!

RE: Is Javascript supported in PBwiki 2.0?

Thu, 27 Mar 2008 01:01:10 -0000

Thank you, sir.

[clever comment pre-emptively redacted under threat of excommunication]

RE: Is Javascript supported in PBwiki 2.0?

Thu, 27 Mar 2008 00:18:21 -0000

Let me offer a clear and official response: we've _temporarily_ disabled arbitrary Javascript on 2.0 wikis to beef up our security infrastructure and make it harder for 2.0 users to have their sessions stolen. We know people want to hack on PBwiki, drop in javascript widgets from other sites, etc. and we'd like to be a great platform for that. So we're looking at ways to let people safely experience the joys of javascript.

Guy: your suggestion about letting only Admins save JS seems reasonable until you realize that the next Writer to edit the page after the Admin adds some JS would cause the JS to be stripped out...unless the JS is specially "signed" in some unmodifiable way. And one of our engineers (Mark, per above) is looking into ways to do such block code signing as we speak.

We may also consider letting users toggle a "Tomfoolery Mode" where they can let people in to do whatever they want (e.g. letting anonymous users slap in javascript) but acknowledge that they are in Wildly Unsupported Land and are liable to shoot themselves in the foot.

We apologize for the temporary inconvenience of having Javascript offline in 2.0 and look forward to letting people tool around again with it as soon as we've made it just a touch safer to do so.

RE: Is Javascript supported in PBwiki 2.0?

Wed, 26 Mar 2008 21:58:41 -0000

"The reason the HTML plugin in edit mode is filtered when the Custom HTML is not is because the Custom HTML can only be edited by an admin, someone who is presumably trustworthy."

I hadn't considered that aspect, but it certainly makes the solution quite obvious: don't strip out javascript (or CSS, or anything, for that matter) from the HTML plugin if the Admin is doing the editing. I'm pretty sure you are technically able to determine if I'm the wiki owner at the moment I click 'Save', right?

I would say "for that matter, don't strip it out of the Source View, either", but I'm willing to concede that FCKeditor can't handle some things in the source.

RE: Is Javascript supported in PBwiki 2.0?

Wed, 26 Mar 2008 21:48:34 -0000

There are all sorts of evil things you can do with JavaScript, ranging from stealing cookies to redirecting you to unsavory destinations.

The reason the HTML plugin in edit mode is filtered when the Custom HTML is not is because the Custom HTML can only be edited by an admin, someone who is presumably trustworthy. Especially on public wikis, allowing anyone to insert a chunk of random JavaScript would be incredibly dangerous.

As for the “not very Web 2.0” statement, I think you'll find that JavaScript is stripped out pretty much everywhere. JavaScript getting through the cracks means the potential for Cross-Site Scripting attacks, and those are no good.

The bottom line is that we're continually hardening PBwiki 2.0's security, including its defenses against malicious code, but it's an ongoing process. Security is pretty meaningless if the service isn't useful for people. We will re-evaluate the dynamics of unfiltered user code again as conditions change. JavaScript can do a lot of amazing things, and believe me, no one wants to see those things more than we do.

RE: Is Javascript supported in PBwiki 2.0?

Wed, 26 Mar 2008 21:25:01 -0000

I thought pbwiki 2.0 was the next step in the natural evolution of pbwiki and not the production of a completely different pbwiki platform. The idea that we can't talk about pbwiki 2.0 functionality while directly referring to it predecessor seems ludicrous given that it is expected that all pbwiki 1.0 wiki will migrate to 2.0 eventually. Javascript has always been available in 1.0 and it was not a gross assumption to think that it would be supported in 2.0. Just because you have stuck a 2.0 at the end and improved certain functionality does not mean you can take valuable functionality away from your users with them being unhappy.

I can possibly see the logic in applying a subscription to fend off spamers and the likes but I'd like to know how much of a problem it really is before I accept the justification for money to change hands. I work on evidence and I have not seen much in the way of that yet. The fact that the team skirt round meaty issues like this just fosters a belief that we are being screwed!

Finally, and I'll shut up after this. If you are working on the principle that charging for adding javascript to the header will put spammers off, why not allow page-by-page javascript in the same vein? Maybe there is a technical answer to this which is beyond me but I cannot understand this. Can anyone enlighten me?

RE: Is Javascript supported in PBwiki 2.0?

Wed, 26 Mar 2008 20:37:39 -0000

It's not that we're afraid you, the users who are trying to use PBwiki to the fullest, will implement malicious Javascript. It's people who, in the past, we've had to block and ban because they were using their wikis to spam and spread viruses. We don't have any way of doing background checks on our users to make sure they won't use PBwiki to harm others, and we wouldn't ever want to. That would be absurd, a waste of time, and most importantly, a serious privacy invasion. Way too paranoid for us.

So what we do is put it behind a barrier of money, much like MetaFilter. They charge $5 to create an account, and simply by putting a price on registration, they get rid of a lot of random trolls, spammers, griefers, and other people who generally frequent open forums and the like, just to get a kick out of annoying others.

Similarly, if we have Javascript be a paid feature, we can prevent people who just want to take advantage of PBwikis features from doing as much harm as they could if they were able to utilize Javascript as well.

I'm sure I could be explaining this better. I know other people around the office have found some weird things that happen with Javascript on 2.0 wikis, I'll have one of them pipe in soon.