[pmwiki-users] CSS for one (or all) tag in _a single_ page (inline or in head)

Andrew Standfield andy at scruffyco.com
Thu Aug 24 13:58:52 CDT 2006


The two problems with the first possible tweak are pretty  
significant. Especially the Content-Type issue. I think that would  
make the style sheet fail in most cases, and would just be completely  
wrong in any others.

BTW, I never looked at ?action=source before. That's seriously a cool  
function. I always assumed it would return the full page source (i.e.  
the HTML of the whole thing, not just the raw text of the wiki  
entry). Am I right in assuming this is the way (:include:) works?

I digress.

After your first comment, I took a peak at Hans' code, and  
unfortunately, I really don't know enough PHP or regex to be able to  
tweak it (I tried), but I was thinking of a tweak that would allow  
someone to just include a line like:

$RequiredStyleGroup = 'ExampleStylesGroup';

in config.php.

Andy Standfield
http://www.vertigo25.com/
http://www.ipodnirvana.com/


On Aug 24, 2006, at 11:11 AM, Patrick R. Michaud wrote:

> On Thu, Aug 24, 2006 at 10:57:41AM -0700, Andrew Standfield wrote:
>>> So, for example, if (:stylepage:) were limited to including pages
>>> from the Site group, then it's much safer because edit access to
>>> Site.* pages is usually well protected.
>>
>> Excellent point. That would also be much easier to do...
>>
>> /me glances at Hans hoping he'll implement that...
>
> Well, I'm also thinking that with a bit of tweaking it might
> be possible to have the (:stylepage:) markup generate
>
>     <link rel='stylesheet' href='{$PageUrl}?action=source'  
> type='text/css' />
>
> tags instead of directly including the CSS into the page output.
> This would make it possible for browsers to cache the shared  
> stylesheet,
> as well as potentially reduce the overall bandwidth to the site.
>
> There are two problems with this approach, however:
>    1. ?action=source returns "Content-Type: text/plain", so we'd
>       need some way of switching that to be text/css when appropriate.
>    2. The site has to have $EnableIMSCaching enabled, otherwise
>       every page request results in additional calls to retrieve
>       the CSS page, which is actually *more* bandwidth and slower.
>
> Another possibility is for the (:stylesheet:) markup to generate
> tags like
>
>     <link rel='stylesheet' href='{$PubDirUrl}/cache/ 
> {$FullName}.css' type='text/css' />
>
> and have the stylesheet data copied from the referenced page into a
> public cache file that is automatically updated whenever we
> detect that the stylesheet page has changed.  This could reduce
> bandwidth a lot.
>
> Pm
>
>
>> On Aug 24, 2006, at 10:52 AM, Patrick R. Michaud wrote:
>>
>>> On Thu, Aug 24, 2006 at 10:45:52AM -0700, Andrew Standfield wrote:
>>>> I don't think there's any more chance of malicious authors doing  
>>>> bad
>>>> things with css then there is with allowing *any* form of markup.
>>>
>>> PmWiki's existing markups are fairly limited in terms of what
>>> can be done -- i.e., it's difficult for an author to perform
>>> a cross-site scripting attack using PmWiki's existing markups.
>>>
>>> However, if an author can generate arbitrary CSS, then cross-site
>>> attacks become much more possible.
>>>
>>>> I think a bigger issue would be novices to CSS creating unstable
>>>> style sheets. I've actually tried to think of ways to combat  
>>>> that or
>>>> if you just want for the admin to be able to include styles. It  
>>>> would
>>>> be interesting to require some kind of password for the  
>>>> (:stylepage:)
>>>> directive.
>>>
>>> That's a bit backwards -- the trick isn't to password protect
>>> the stylepage directive, but to password-protect whatever it
>>> includes.  (Stated slightly differently:  password-protection of
>>> the directive doesn't prevent someone from editing the page
>>> it's including.)
>>>
>>> So, for example, if (:stylepage:) were limited to including pages
>>> from the Site group, then it's much safer because edit access to
>>> Site.* pages is usually well protected.
>>>
>>> Pm
>>>
>>>
>>>
>>>> On Aug 24, 2006, at 10:31 AM, Patrick R. Michaud wrote:
>>>>
>>>>> On Thu, Aug 24, 2006 at 10:26:02AM -0700, Andrew Standfield wrote:
>>>>>> Clemens,
>>>>>>
>>>>>> I think what you may want is the stylepage.php solution by Hans.
>>>>>> You
>>>>>> can find it near the bottom of the CSS in Wiki Pages Recipe:
>>>>>> http://
>>>>>> pmwiki.org/wiki/Cookbook/CSSInWikiPages
>>>>>>
>>>>>> After installing, it allows you to make a wiki page that you put
>>>>>> standard CSS declarations in. You can then call it from any other
>>>>>> page using (:stylepage Group.ExamplePage:).
>>>>>
>>>>> I hadn't noticed this particular recipe -- it's excellent.
>>>>>
>>>>> So far I've been reluctant to allow any sort of direct CSS
>>>>> modification through pages because it might make it possible
>>>>> for malicious authors to do bad things to the site.  But having
>>>>> an administrative CSS-via-wiki-page option seems like it could
>>>>> be worthwhile.
>>>>>
>>>>> I'd love to hear others' opinions about this.
>>>>>
>>>>> Pm
>>>>>
>>>>
>>>>
>>
>>





More information about the pmwiki-users mailing list