Problem: inline
Web slides are sort of a regular web page, but not exactly: no action
links, and almost none of the other accoutrements of page.tmpl. The
branch's current behavior is that Remark slides are naively inlined like
any other page, which -- because the Markdown is deliberately not being
rendered by ikiwiki -- results in the slide source being displayed (and
not elegantly). Clicking through to the slides works right, of course.
Should inline (and more generally PageSpec) understand that web slides are not exactly regular pages? And/or should this plugin detect when slides are being inlined and allow ikiwiki to process the Markdown as a sort of "preview"? --schmonz
If you want web slides to not be a normal page, that's what internal pages are for. An internal page has an extension (file type) starting with
_, and has the following properties:
foo._extdoes not automatically renderfoo[/index].htmlglob(foo)(for which unadorned globs are syntactic sugar) does not match it, you have to useinternal(foo)- editpage won't edit it
I'd be very tempted to use
foo._remarkand set it up so all such pages are copied tofoo.htmlunchanged. You'd probably have to add a new hook that is run instead of most or all ofrender(), and also make those pages exempt fromderender_internal()?When a remark page is inlined (via
internal()if it's internal) I think it might be nice to pass it through (the htmlize function of) ikiwiki's normal mdwn instead. --smcv
Concern: safety of web-editing
Even though remarkpage.tmpl has no action links, is it still possible
for someone to trick their way into web-editing a slide deck? And if
they do, is that dangerous? --schmonz
Yes, it's likely both possible and dangerous. If you've already deployed this plugin, make sure it's covered by lockedit.
Every page that is not internal can be edited. Look at editpage for the (only) logic that is applied when deciding whether to accept an edit: whether there is an action link is irrelevant.
Here page is a jargon term for something matching
page(), i.e. its extension is the same as the name of ahtmlizehook, while internal means a page whose extension additionally starts with_.I think there's a cross-site scripting vulnerability here. If there is some Markdown source that is seen as OK by htmlscrubber and htmlbalance, but induces remark.js to produce HTML that is then evaluated in the security context of your wiki and executes attacker-supplied JavaScript in visitors' browsers, then an attacker able to edit the remark source could act with the privileges of your wiki and anything else that shares its origin (domain name). In particular, the attacker could steal login cookies. The simplest proof-of-concept would be something like
[click here](javascript:alert("XSS! " + document.cookie)). --smcv