This question about Configuration: Answered
I installed and enabled
SafeWikiPlugin, but then I started getting errors of this sort in the foswiki log file:
2011-01-22T00:46:45Z warning | Parse loop not allowed at /www/w/lib/Foswiki/Plugins/SafeWikiPlugin/Parser.pm line 33.
The browser reported errors about malformed and/or unclosed
head
elements.
I turned on both
FilterAll
and
CheckPurity
and didn't change any of the other defaults.
In particular I left
UnsafeURI
to be just [ ].
To get things working again, I had to
both disable the plugin
and turn off
FilterAll
and
CheckPurity
.
Can anyone offer advice?
--
FilSalustri - 22 Jan 2011
First thing to check is that HTML::Parser is up to date, because that is where the error is coming from. Perhaps your HTML is sick? (guess)
--
CrawfordCurrie - 15 Feb 2011
Didn't think of that. Will investigate and report back. Thanks for the idea.
--
FilSalustri - 15 Feb 2011
I updated HTML::Parser, and turned
SafeWikiPlugin back on, with
FilterAll
and
CheckPurity
off.
It works, but:
- I had to set {Validation}{Method} to "embedded" - using "strikeone" was causing a error, and
- I get an error in Security & Authentication > Environment saying Error: {AllowInlineScript} has been deprecated. Please use SafeWikiPlugin to remove potentially harmful topic content instead. However, I note that
AllowInlineScript
is NOT checked. Dunno what to do about that.
Should I be worried?
--
FilSalustri - 15 Feb 2011
More info: having done the above, raw edits don't work with
NatEditPlugin on. I haven't checked what happens if I turn
NatEditPlugin off. Sorry, no time.
I've disabled
SafeWikiPlugin again, and put everything back as it was.
If anyone has any ideas, I'd love to hear 'em.
--
FilSalustri - 15 Feb 2011
AllowInlineScript - remove the setting from
LocalSite.cfg (manually delete the line)
strikeone should work. What error?
NateEditPlugin dunno, never tested with it +
SafeWikiPlugin
--
CrawfordCurrie - 21 Feb 2011
Here's the latest.
- I made sure NatEditPlugin was disabled
- I commented out AllowInlineScsript in lib/LocalSite.cfg
- I enabled SafeWikiPlugin
- validation method set to strikeone
- I then got a warning from SafeWikiPlugin (in configure) that AllowInlineScript was on.
- I un-checked AllowInlineScript in configure.
- Now there are 2 errors:
- Sessions > {validation}{method}: Validation method strikeone is not compatible with deprecated {AllowInlineScript} setting.
- Environment > {AllowInlineScript}: {AllowInlineScript} has been deprecated. Please use SafeWikiPlugin to remove potentially harmful topic content instead.
- I then disabled SafeWikiPlugin
- Still get the same 2 errors
- Back to configure, check AllowInlineScript again
- Errors gone.
I noticed that a new line enabling
AllowInlineScript was added to
LocalSite.cfg.
So, now I'm thinking the problem may be NOT with
SafeWikiPlugin, but with something having to do with
AllowInlineScript and configure.
Anyone got any ideas?
--
FilSalustri - 15 Mar 2011
I am having the same issue with Foswiki 1.1.3. I installed it from debian package and also installed and enabled
SafeWikiPlugin.
Then I got a warning from the plugin:
{AllowInlineScript} is true, which allows topic contributors to embed arbitrary Javascript.
In the topic "Security and Authentication"-> "Environment" I disabled this setting and got the same 2 errors as Crawford.
I changed
strikeone to
embedded and could get rid one error. But the other error remains. I decided to change back the settings and ignore the warning at the plugin because it seems to me a false positive. The function of the plugin should make the deprecated setting obsolete, so it should not request it's usage.
--
MartinKedaj - 01 Jul 2011
Martin, right, AllowInlineScript is legacy. And it depends on how apache is configured whether a configure setting will "stick" the first time or not. If apache is configured to re-use processes (e.g. with mod_perl or fcgid) then you may have to restart the server.
The bottom line of all this is "if you are using SafeWikiPlugin, then set
{Validation}{Method}
to
embedded
and enable AllowInlineScript, right? The
configure
setup for SafeWikiPlugin checks this (as noted by Fil above_ so I guess we can call this "answered".
--
CrawfordCurrie - 02 Aug 2011