Edit preview interferes with JavaScript

[Ulf Dittmer <ul...@googlemail.com.INVALID>]

I'm trying to insert JavaScript into a wiki page, like this:

[{If page='SandBox' exists='true'

<script language="javascript">document.writeln("<b>User Agent: </b>" +
navigator.userAgent);</script>}]

(Yes, it's a gross hack, but I'm just playing a bit with what's possible,
and sometimes it's nice to be able to inject arbitrary content into a page.)

The page displays as I would expect, but if I try to edit it, the preview
of the JavaScript bit takes over the entire screen, making editing
impossible. You can see for a short moment that the edit screen is actually
displayed correctly, before the preview is triggered.

I got to this point by creating the page with 2.11M3 which IIRC didn't have
the preview, but now I'm using 2.11M6.

So I'm wondering a) Is this a bug that could be fixed?, and b) Is there a
way to turn off the preview, ideally just for this page?

Thanks!

Ulf

Re: Edit preview interferes with JavaScript

[Juan Pablo Santos Rodríguez <ju...@gmail.com>]

Forgot to add, regarding maps integration, you can also check haddock
built-in support at https://jspwiki-wiki.apache.org/Wiki.jsp?page=Maps


HTH,
JP

El mar., 23 jun. 2020 19:46, Juan Pablo Santos Rodríguez <
juanpablo.santos@gmail.com> escribió:

> Hi Ulf,
>
> You can also set jspwiki.translatorReader.allowHTML = true on your
> jspwiki.properties but that opens up a security risk on your installation,
> so it may not be a suitable option (e.g. public facing wikis).
>
> Regarding the sameSite cookie attribute, would you mind filling a jira?
>
> (on mobile + broken hand pls excuse brevity + typos)
>
> best regards,
> JP
>
> El mar., 23 jun. 2020 10:13, Ulf Dittmer
> <ul...@googlemail.com.invalid> escribió:
>
>> >
>> > You may want to check an older plugin (
>> > https://www.ecyrd.com/JSPWiki/wiki/JSPluginScripts)
>>
>> who allows you to do this, but not sure if this would still work.
>> >
>>
>> That executes JavaScript on the server using Rhino, but I'm trying to add
>> client-side JavaScript so it can interact with the browser and other
>> JavaScript code, e.g. Google Maps. I had written a plugin for that purpose
>> -which works fine- and was wondering if there were other ways of adding
>> arbitrary JavaScript code to a page.
>>
>

Re: Edit preview interferes with JavaScript

[Juan Pablo Santos Rodríguez <ju...@gmail.com>]

Hi Ulf,

You can also set jspwiki.translatorReader.allowHTML = true on your
jspwiki.properties but that opens up a security risk on your installation,
so it may not be a suitable option (e.g. public facing wikis).

Regarding the sameSite cookie attribute, would you mind filling a jira?

(on mobile + broken hand pls excuse brevity + typos)

best regards,
JP

El mar., 23 jun. 2020 10:13, Ulf Dittmer <ul...@googlemail.com.invalid>
escribió:

> >
> > You may want to check an older plugin (
> > https://www.ecyrd.com/JSPWiki/wiki/JSPluginScripts)
>
> who allows you to do this, but not sure if this would still work.
> >
>
> That executes JavaScript on the server using Rhino, but I'm trying to add
> client-side JavaScript so it can interact with the browser and other
> JavaScript code, e.g. Google Maps. I had written a plugin for that purpose
> -which works fine- and was wondering if there were other ways of adding
> arbitrary JavaScript code to a page.
>

Re: Edit preview interferes with JavaScript

[Ulf Dittmer <ul...@googlemail.com.INVALID>]

> You can also set jspwiki.translatorReader.allowHTML = true on your
> jspwiki.properties but that opens up a security risk on your installation

That made the difference. I had set it to true; if I set it to false, the
JavaScript is displayed, not executed.
I understand the security implications; only a select few people will be
able to edit pages on this wiki.

> Would it be possible to make a testpage on
https://jspwiki-wiki.apache.org/ to reproduce the issue ?

I tried, but couldn’t - presumably allowHTML is set to false. The page you
made will probably show the preview issue if you set allowHTML to true.


> Regarding the sameSite cookie attribute, would you mind filling a jira?

Done: https://issues.apache.org/jira/browse/JSPWIKI-1129


> regarding maps integration, you can also check haddock
> built-in support at https://jspwiki-wiki.apache.org/Wiki.jsp?page=Maps

Yeah, I’d seen that. Writing my own plugin for that was more of an exercise
in learning to write plugins (and in unlocking some extra capabilities of
the Google Maps JavaScript API).


> https://jspwiki-wiki.apache.org/Wiki.jsp?page=Chartist

That is neat! That’ll become part of my installation.


Thanks to both of you for all the help! I'm learning a lot here.

Re: Edit preview interferes with JavaScript

[Dirk Frederickx <di...@gmail.com>]

Ulf

Adding client-side javascript adds security issues.
But if your wiki is running in a secure space;  that could be ok.


You can find an example of client-side javascript injection in
https://jspwiki-wiki.apache.org/Wiki.jsp?page=Chartist
This behavior converts wiki tables into graphic representations.
Parameters are passed to the %%chartist behavior as JSON like objects.
But it is also support JS functions !   => look at the example of the PIE
chart.

(The CHARTIST behavior is not part of the standard distr. ;  so you'll have
to install it locally to see it work.)

Hope you find this helpful.

dirk






On Tue, Jun 23, 2020 at 10:13 AM Ulf Dittmer
<ul...@googlemail.com.invalid> wrote:

> >
> > You may want to check an older plugin (
> > https://www.ecyrd.com/JSPWiki/wiki/JSPluginScripts)
>
> who allows you to do this, but not sure if this would still work.
> >
>
> That executes JavaScript on the server using Rhino, but I'm trying to add
> client-side JavaScript so it can interact with the browser and other
> JavaScript code, e.g. Google Maps. I had written a plugin for that purpose
> -which works fine- and was wondering if there were other ways of adding
> arbitrary JavaScript code to a page.
>

Re: Edit preview interferes with JavaScript

[Ulf Dittmer <ul...@googlemail.com.INVALID>]

>
> You may want to check an older plugin (
> https://www.ecyrd.com/JSPWiki/wiki/JSPluginScripts)

who allows you to do this, but not sure if this would still work.
>

That executes JavaScript on the server using Rhino, but I'm trying to add
client-side JavaScript so it can interact with the browser and other
JavaScript code, e.g. Google Maps. I had written a plugin for that purpose
-which works fine- and was wondering if there were other ways of adding
arbitrary JavaScript code to a page.

Re: Edit preview interferes with JavaScript

[Dirk Frederickx <di...@gmail.com>]

Ulf,

Would it be possible to make a testpage on https://jspwiki-wiki.apache.org/ to
reproduce the issue ?
So I can check what js error it throws.

dirk


On Tue, Jun 23, 2020 at 9:41 AM Ulf Dittmer
<ul...@googlemail.com.invalid> wrote:

> Huh. Then there's a disconnect somewhere: As I said, this technique works
> fine for me in M3 and M6. If I turn off the preview, I can edit the page
> fine. There's indeed an error where it is trying to create the script
> element during preview:
>
> [Error] NotFoundError: The object can not be found here.
> removeChild (haddock.js:1:15374)
> exec (haddock.js:1:15374)
> success (haddock.js:1:89108)
> (anonymous function) (haddock.js:1:17784)
> onStateChange (haddock.js:1:84471)
> (anonymous function) (haddock.js:1:17784)
> (anonymous function)
>
> in this code in haddock.js:
>
>             var r = e.createElement("script");
>             r.setAttribute("type", "text/javascript"), r.text = n,
> e.head.appendChild(r), e.head.removeChild(r)
>
>
> Thanks for pointing me to JSPluginScripts
> <https://www.ecyrd.com/JSPWiki/wiki/JSPluginScripts>; I'll check out what
> it does. If it no longer works I can probably get it back into order.
>
>
> On an unrelated note, Firefox warns of this:
>
> Cookie “JSPWikiUserPrefs” will be soon rejected because it has the
> “sameSite” attribute set to “none” or an invalid value, without the
> “secure” attribute. To know more about the “sameSite“ attribute, read
> https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
>
> Is that on someone's radar already, or should I open a JIRA ticket for it?
>
>
> On Mon, Jun 22, 2020 at 9:59 PM Dirk Frederickx <dirk.frederickx@gmail.com
> >
> wrote:
>
> > Hi Ulf,
> >
> > Adding javascript this way to a page will not work. It will show
> > the javascript as text on your page.
> > You may want to check an older plugin (
> > https://www.ecyrd.com/JSPWiki/wiki/JSPluginScripts) who allows you to do
> > this, but not sure if this would still work.
> >
> > Anyway, editing the page you've created should not cause any problems,
> with
> > or without preview.
> > I've created a small test page
> > https://jspwiki-wiki.apache.org/Wiki.jsp?page=TESTEST which seems to be
> > ok.
> > (running 2.11.0-M5)
> > You may want to check the browser developer console  for any JS errors ?
> >
> > BTW: you can turn off the edit preview with one of the dropdown menu's in
> > the edit toolbar : uncheck the LivePreview checkbox.
> >
> >
> > KR
> >     dirk
> >
> > On Mon, Jun 22, 2020 at 5:01 PM Ulf Dittmer
> > <ul...@googlemail.com.invalid> wrote:
> >
> > > I'm trying to insert JavaScript into a wiki page, like this:
> > >
> > > [{If page='SandBox' exists='true'
> > >
> > > <script language="javascript">document.writeln("<b>User Agent: </b>" +
> > > navigator.userAgent);</script>}]
> > >
> > > (Yes, it's a gross hack, but I'm just playing a bit with what's
> possible,
> > > and sometimes it's nice to be able to inject arbitrary content into a
> > > page.)
> > >
> > > The page displays as I would expect, but if I try to edit it, the
> preview
> > > of the JavaScript bit takes over the entire screen, making editing
> > > impossible. You can see for a short moment that the edit screen is
> > actually
> > > displayed correctly, before the preview is triggered.
> > >
> > > I got to this point by creating the page with 2.11M3 which IIRC didn't
> > have
> > > the preview, but now I'm using 2.11M6.
> > >
> > > So I'm wondering a) Is this a bug that could be fixed?, and b) Is
> there a
> > > way to turn off the preview, ideally just for this page?
> > >
> > > Thanks!
> > >
> > > Ulf
> > >
> >
>

Re: Edit preview interferes with JavaScript

[Ulf Dittmer <ul...@googlemail.com.INVALID>]

Huh. Then there's a disconnect somewhere: As I said, this technique works
fine for me in M3 and M6. If I turn off the preview, I can edit the page
fine. There's indeed an error where it is trying to create the script
element during preview:

[Error] NotFoundError: The object can not be found here.
removeChild (haddock.js:1:15374)
exec (haddock.js:1:15374)
success (haddock.js:1:89108)
(anonymous function) (haddock.js:1:17784)
onStateChange (haddock.js:1:84471)
(anonymous function) (haddock.js:1:17784)
(anonymous function)

in this code in haddock.js:

            var r = e.createElement("script");
            r.setAttribute("type", "text/javascript"), r.text = n,
e.head.appendChild(r), e.head.removeChild(r)


Thanks for pointing me to JSPluginScripts
<https://www.ecyrd.com/JSPWiki/wiki/JSPluginScripts>; I'll check out what
it does. If it no longer works I can probably get it back into order.


On an unrelated note, Firefox warns of this:

Cookie “JSPWikiUserPrefs” will be soon rejected because it has the
“sameSite” attribute set to “none” or an invalid value, without the
“secure” attribute. To know more about the “sameSite“ attribute, read
https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Is that on someone's radar already, or should I open a JIRA ticket for it?


On Mon, Jun 22, 2020 at 9:59 PM Dirk Frederickx <di...@gmail.com>
wrote:

> Hi Ulf,
>
> Adding javascript this way to a page will not work. It will show
> the javascript as text on your page.
> You may want to check an older plugin (
> https://www.ecyrd.com/JSPWiki/wiki/JSPluginScripts) who allows you to do
> this, but not sure if this would still work.
>
> Anyway, editing the page you've created should not cause any problems, with
> or without preview.
> I've created a small test page
> https://jspwiki-wiki.apache.org/Wiki.jsp?page=TESTEST which seems to be
> ok.
> (running 2.11.0-M5)
> You may want to check the browser developer console  for any JS errors ?
>
> BTW: you can turn off the edit preview with one of the dropdown menu's in
> the edit toolbar : uncheck the LivePreview checkbox.
>
>
> KR
>     dirk
>
> On Mon, Jun 22, 2020 at 5:01 PM Ulf Dittmer
> <ul...@googlemail.com.invalid> wrote:
>
> > I'm trying to insert JavaScript into a wiki page, like this:
> >
> > [{If page='SandBox' exists='true'
> >
> > <script language="javascript">document.writeln("<b>User Agent: </b>" +
> > navigator.userAgent);</script>}]
> >
> > (Yes, it's a gross hack, but I'm just playing a bit with what's possible,
> > and sometimes it's nice to be able to inject arbitrary content into a
> > page.)
> >
> > The page displays as I would expect, but if I try to edit it, the preview
> > of the JavaScript bit takes over the entire screen, making editing
> > impossible. You can see for a short moment that the edit screen is
> actually
> > displayed correctly, before the preview is triggered.
> >
> > I got to this point by creating the page with 2.11M3 which IIRC didn't
> have
> > the preview, but now I'm using 2.11M6.
> >
> > So I'm wondering a) Is this a bug that could be fixed?, and b) Is there a
> > way to turn off the preview, ideally just for this page?
> >
> > Thanks!
> >
> > Ulf
> >
>

Re: Edit preview interferes with JavaScript

[Dirk Frederickx <di...@gmail.com>]

Hi Ulf,

Adding javascript this way to a page will not work. It will show
the javascript as text on your page.
You may want to check an older plugin (
https://www.ecyrd.com/JSPWiki/wiki/JSPluginScripts) who allows you to do
this, but not sure if this would still work.

Anyway, editing the page you've created should not cause any problems, with
or without preview.
I've created a small test page
https://jspwiki-wiki.apache.org/Wiki.jsp?page=TESTEST which seems to be ok.
(running 2.11.0-M5)
You may want to check the browser developer console  for any JS errors ?

BTW: you can turn off the edit preview with one of the dropdown menu's in
the edit toolbar : uncheck the LivePreview checkbox.


KR
    dirk

On Mon, Jun 22, 2020 at 5:01 PM Ulf Dittmer
<ul...@googlemail.com.invalid> wrote:

> I'm trying to insert JavaScript into a wiki page, like this:
>
> [{If page='SandBox' exists='true'
>
> <script language="javascript">document.writeln("<b>User Agent: </b>" +
> navigator.userAgent);</script>}]
>
> (Yes, it's a gross hack, but I'm just playing a bit with what's possible,
> and sometimes it's nice to be able to inject arbitrary content into a
> page.)
>
> The page displays as I would expect, but if I try to edit it, the preview
> of the JavaScript bit takes over the entire screen, making editing
> impossible. You can see for a short moment that the edit screen is actually
> displayed correctly, before the preview is triggered.
>
> I got to this point by creating the page with 2.11M3 which IIRC didn't have
> the preview, but now I'm using 2.11M6.
>
> So I'm wondering a) Is this a bug that could be fixed?, and b) Is there a
> way to turn off the preview, ideally just for this page?
>
> Thanks!
>
> Ulf
>