This question about Configuration: Answered

How to configure SafeWikiPlugin?

I installed and enabled SafeWikiPlugin, but then I started getting errors of this sort in the foswiki log file:

2011-01-22T00:46:45Z warning | Parse loop not allowed at /www/w/lib/Foswiki/Plugins/SafeWikiPlugin/ line 33. The browser reported errors about malformed and/or unclosed head elements.

I turned on both FilterAll and CheckPurity and didn't change any of the other defaults.

In particular I left UnsafeURI to be just [ ].

To get things working again, I had to both disable the plugin and turn off FilterAll and CheckPurity.

Can anyone offer advice?

-- FilSalustri - 22 Jan 2011

First thing to check is that HTML::Parser is up to date, because that is where the error is coming from. Perhaps your HTML is sick? (guess)

-- CrawfordCurrie - 15 Feb 2011

Didn't think of that. Will investigate and report back. Thanks for the idea.

-- FilSalustri - 15 Feb 2011

I updated HTML::Parser, and turned SafeWikiPlugin back on, with FilterAll and CheckPurity off.

It works, but:
  1. I had to set {Validation}{Method} to "embedded" - using "strikeone" was causing a error, and
  2. I get an error in Security & Authentication > Environment saying Error: {AllowInlineScript} has been deprecated. Please use SafeWikiPlugin to remove potentially harmful topic content instead. However, I note that AllowInlineScript is NOT checked. Dunno what to do about that.
Should I be worried?

-- FilSalustri - 15 Feb 2011

More info: having done the above, raw edits don't work with NatEditPlugin on. I haven't checked what happens if I turn NatEditPlugin off. Sorry, no time.

I've disabled SafeWikiPlugin again, and put everything back as it was.

If anyone has any ideas, I'd love to hear 'em.

-- FilSalustri - 15 Feb 2011

AllowInlineScript - remove the setting from LocalSite.cfg (manually delete the line)

strikeone should work. What error?

NateEditPlugin dunno, never tested with it + SafeWikiPlugin

-- CrawfordCurrie - 21 Feb 2011

Here's the latest.
  • I made sure NatEditPlugin was disabled
  • I commented out AllowInlineScsript in lib/LocalSite.cfg
  • I enabled SafeWikiPlugin
  • validation method set to strikeone
  • I then got a warning from SafeWikiPlugin (in configure) that AllowInlineScript was on.
  • I un-checked AllowInlineScript in configure.
  • Now there are 2 errors:
    • Sessions > {validation}{method}: Validation method strikeone is not compatible with deprecated {AllowInlineScript} setting.
    • Environment > {AllowInlineScript}: {AllowInlineScript} has been deprecated. Please use SafeWikiPlugin to remove potentially harmful topic content instead.
  • I then disabled SafeWikiPlugin
  • Still get the same 2 errors
  • Back to configure, check AllowInlineScript again
  • Errors gone.
I noticed that a new line enabling AllowInlineScript was added to LocalSite.cfg.

So, now I'm thinking the problem may be NOT with SafeWikiPlugin, but with something having to do with AllowInlineScript and configure.

Anyone got any ideas?

-- FilSalustri - 15 Mar 2011

I am having the same issue with Foswiki 1.1.3. I installed it from debian package and also installed and enabled SafeWikiPlugin.

Then I got a warning from the plugin: {AllowInlineScript} is true, which allows topic contributors to embed arbitrary Javascript.

In the topic "Security and Authentication"-> "Environment" I disabled this setting and got the same 2 errors as Crawford.

I changed strikeone to embedded and could get rid one error. But the other error remains. I decided to change back the settings and ignore the warning at the plugin because it seems to me a false positive. The function of the plugin should make the deprecated setting obsolete, so it should not request it's usage.

-- MartinKedaj - 01 Jul 2011

Martin, right, AllowInlineScript is legacy. And it depends on how apache is configured whether a configure setting will "stick" the first time or not. If apache is configured to re-use processes (e.g. with mod_perl or fcgid) then you may have to restart the server.

The bottom line of all this is "if you are using SafeWikiPlugin, then set {Validation}{Method} to embedded and enable AllowInlineScript, right? The configure setup for SafeWikiPlugin checks this (as noted by Fil above_ so I guess we can call this "answered".

-- CrawfordCurrie - 02 Aug 2011

QuestionForm edit

Subject Configuration
Extension SafeWikiPlugin
Version Foswiki 1.1.2
Status Answered
Related Topics
Topic revision: r8 - 02 Aug 2011, CrawfordCurrie
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy