Quills Notes
Plone HISTORY.txt says:
- DiscussionTool.cookReply needs to be available to anyone who can comment
on an item, otherwise the comment will not be cooked and we get HTML
injection. This fixes http://dev.plone.org/plone/ticket/5718
[alecm]
Ticket 5718 says:
(Rest omitted).
I don't understand where cookReply is called but suspect this implies we can enable HTML in comments.
There should be some setting in ZMI that allows setting default for comments to allow HTML or structured text instead of requiring only plain text.
See below.
In Plone/Instance/Products there are the following (when downloaded and deployed):
Quills/syndication.py -
class WeblogEntryFeedSource(BaseFeedSource):
"""An adapter from IWeblogEntry to IFeedSource that feeds out the
entry's comments.
"""
This implies that Quills will supply comments as an RSS feed.
Quills/tests/test_weblogentry.py - in class TestWeblogEntry there is a method def testAllowDiscussion. This confirms that Quills uses the standard portal Discussion tool for its comments.
CMFPlone/DiscussionTool.py - this is the standard portal Discussion tool used by Quills?
from Products.CMFDefault.DiscussionTool import DiscussionTool as BaseTool
class DiscussionTool(PloneBaseTool, BaseTool):
this inherits from from CMFDefault/DiscussionTool.py (see below) and modifies it so it does not allow HTML comments?
in class DiscussionTool there is a method:
security.declareProtected(ReplyToItem, 'cookReply')
def cookReply(self, reply, text_format=None):
""" TODO We need this because currently we can not easily change the
text_format on document objects. Discussions in plone are going
to use plain-text for now. stx is too confusing.
"""
I think this means that cookReply is automatically called when using the ReplyToItem permission, so as to protect from injecting javascript etc into replies that can pop up dialog boxes and wreak havoc.
This method cookReply uses:
from StructuredText.StructuredText import HTML
from DocumentTemplate.DT_Util import html_quote
These are not in Products but in Plone/lib/python/
This implies (I think) that the default DiscussionTool used by Quills has been modified so the ability to allow HTML is turned off.
CMFDefault/DiscussionTool.py has the class DiscussionTool from which the CMFPlone/DiscussionTool.py inherits.
It has a method:
def _createDiscussionFor( self, content ):
""" Create DiscussionItemContainer for content, if allowed.
"""
if not self.isDiscussionAllowedFor( content ):
raise DiscussionNotAllowed
content.talkback = DiscussionItemContainer()
return content.talkback
This uses class DiscussionItemContainer
from DiscussionItem import DiscussionItemContainer
CMFDefault/DiscussionItem.py contains most of the code used for the default discussion handling, which has been overidden by cookReply above.
It has a method def addDiscussionItem which creates an instance of class DiscussionItem and modifies the text using the method scrubHTML.
class DiscussionItem inherits from Document and should work the same as other Plone Documents (eg can use structured text or HTML and kupu).
scrubHTML is a utility imported by:
from utils import scrubHTML
CMFDefault/utils.py - this has the implementation of scrubHTML.
def scrubHTML( html ):
""" Strip illegal HTML tags from string text.
"""
parser = StrippingParser()
...
class StrippingParser( SGMLParser ):
""" Pass only allowed tags; raise exception for known-bad.
"""
This uses the definitions of VALID_TAGS and NASTY_TAGS in utilils.py to allow only "safe" HTML.
So my theory is that by fixing CMFPlone/DiscussionTool.py so that it does not prevent this stuff working by means of cookReply, or whatever makes plain text the only form of permitted comment, Quills (and the rest of Plone) would allow what we need in comments.
I don't understand how it all works in detail or how to fix it but suspect it is something that Quills authors or others familiar with Plone would understand how to do easily. In particular "alecm" who filed the report that the defect had been fixed quoted above should know exactly what to do.
In addition there is a product:
easycommenting/ - This could be used to modify Quills so that it allowed the same sort of comments as in most blogs, with facilities for moderating them and quickly checking for spam etc. That may not be easy to do and may not be useful.
There is another product:
qPloneComments/ - which looks as though it would be easier to istall and would also provide similar or better useful enhancements. See README.txt
qPloneComments/patch.py - works by patching CMFDefault/DiscussionItem.py
- DiscussionTool.cookReply needs to be available to anyone who can comment
on an item, otherwise the comment will not be cooked and we get HTML
injection. This fixes http://dev.plone.org/plone/ticket/5718
[alecm]
Ticket 5718 says:
By default comments (former discussions) in plone 2.5 seem to accept html code, s.t. <script>alert('This is an alertbox')</script> is executed when viewing. I posted this on gmane.comp.web.zope.plone.user and got the following answer by Alexander Limi:
By default, Plone comments should be plain text, not HTML - if somebody changed that, they screwed up. :)
...Please file a bug at http://dev.plone.org/plone and mention what I said above.
08/12/06 18:34:17 changed by alecm ΒΆ
- status changed from new to closed.
- resolution set to fixed.
(Rest omitted).
I don't understand where cookReply is called but suspect this implies we can enable HTML in comments.
There should be some setting in ZMI that allows setting default for comments to allow HTML or structured text instead of requiring only plain text.
See below.
In Plone/Instance/Products there are the following (when downloaded and deployed):
Quills/syndication.py -
class WeblogEntryFeedSource(BaseFeedSource):
"""An adapter from IWeblogEntry to IFeedSource that feeds out the
entry's comments.
"""
This implies that Quills will supply comments as an RSS feed.
Quills/tests/test_weblogentry.py - in class TestWeblogEntry there is a method def testAllowDiscussion. This confirms that Quills uses the standard portal Discussion tool for its comments.
CMFPlone/DiscussionTool.py - this is the standard portal Discussion tool used by Quills?
from Products.CMFDefault.DiscussionTool import DiscussionTool as BaseTool
class DiscussionTool(PloneBaseTool, BaseTool):
this inherits from from CMFDefault/DiscussionTool.py (see below) and modifies it so it does not allow HTML comments?
in class DiscussionTool there is a method:
security.declareProtected(ReplyToItem, 'cookReply')
def cookReply(self, reply, text_format=None):
""" TODO We need this because currently we can not easily change the
text_format on document objects. Discussions in plone are going
to use plain-text for now. stx is too confusing.
"""
I think this means that cookReply is automatically called when using the ReplyToItem permission, so as to protect from injecting javascript etc into replies that can pop up dialog boxes and wreak havoc.
This method cookReply uses:
from StructuredText.StructuredText import HTML
from DocumentTemplate.DT_Util import html_quote
These are not in Products but in Plone/lib/python/
This implies (I think) that the default DiscussionTool used by Quills has been modified so the ability to allow HTML is turned off.
CMFDefault/DiscussionTool.py has the class DiscussionTool from which the CMFPlone/DiscussionTool.py inherits.
It has a method:
def _createDiscussionFor( self, content ):
""" Create DiscussionItemContainer for content, if allowed.
"""
if not self.isDiscussionAllowedFor( content ):
raise DiscussionNotAllowed
content.talkback = DiscussionItemContainer()
return content.talkback
This uses class DiscussionItemContainer
from DiscussionItem import DiscussionItemContainer
CMFDefault/DiscussionItem.py contains most of the code used for the default discussion handling, which has been overidden by cookReply above.
It has a method def addDiscussionItem which creates an instance of class DiscussionItem and modifies the text using the method scrubHTML.
class DiscussionItem inherits from Document and should work the same as other Plone Documents (eg can use structured text or HTML and kupu).
scrubHTML is a utility imported by:
from utils import scrubHTML
CMFDefault/utils.py - this has the implementation of scrubHTML.
def scrubHTML( html ):
""" Strip illegal HTML tags from string text.
"""
parser = StrippingParser()
...
class StrippingParser( SGMLParser ):
""" Pass only allowed tags; raise exception for known-bad.
"""
This uses the definitions of VALID_TAGS and NASTY_TAGS in utilils.py to allow only "safe" HTML.
So my theory is that by fixing CMFPlone/DiscussionTool.py so that it does not prevent this stuff working by means of cookReply, or whatever makes plain text the only form of permitted comment, Quills (and the rest of Plone) would allow what we need in comments.
I don't understand how it all works in detail or how to fix it but suspect it is something that Quills authors or others familiar with Plone would understand how to do easily. In particular "alecm" who filed the report that the defect had been fixed quoted above should know exactly what to do.
In addition there is a product:
easycommenting/ - This could be used to modify Quills so that it allowed the same sort of comments as in most blogs, with facilities for moderating them and quickly checking for spam etc. That may not be easy to do and may not be useful.
There is another product:
qPloneComments/ - which looks as though it would be easier to istall and would also provide similar or better useful enhancements. See README.txt
qPloneComments/patch.py - works by patching CMFDefault/DiscussionItem.py
(In [10409]) DiscussionTool?.cookReply needs to be available to anyone who can comment on an item, otherwise the comment will not be cooked and we get HTML injection. This fixes #5718