Feature Proposal: Deprecate {AllowInlineScript} option in configure

Motivation

The option does not actually provide any real security; especially given ADDTOHEAD, it is probably seldom used, and it breaks the strikeone {Validation}{Method}

Description and Documentation

Refer to Tasks.Item2305.

Have added checkers to configure that give a configure error message against {Validation}{Method} and {AllowInlineScript} if the two options are in incompatible states.

This option needs to be deprecated though.

Examples

Impact

WhatDoesItAffect:

%WHATDOESITAFFECT%

edit

Implementation

-- Contributors: PaulHarvey - 05 Nov 2009

Discussion

Having raised the original bug, it goes without saying that I fully support this. KennethLavrsen has also expressed support.

-- CrawfordCurrie - 05 Nov 2009

Confirmed. I fully support this. It does not harm any applications. There is no compatibility issue by removing the feature.

Best case the feature is harmless. Worst case it lures people into thinking the site is secured against JS. But this is not at all the case. It is pseudo security which is in itself more insecure. Either a feature removes all harmfull JS and it does not.

And in this case deprecation and quick removal is the right thing to do and instead channel the effort onto getting SafeWikiPlugin better and better and maintain this in future in a community context.

-- KennethLavrsen - 05 Nov 2009