ToDo R5.5


For issues regarding Unicode please look in our R6.0 ToDo list.



R5.5 is no longer maintained, please upgrade to R6.0. Open issues will be fixed in R6 branch.

R 5.5

Main Focus: HTML5 support, security related features

  1. HTTP Strict Transport Security (HSTS)
  2. Content-Security-Policy
  3. Cookies, CSRF sectoken
  4. https://www.owasp.org/index.ph[...]tication_Cheat_Sheet

1. MariaDB / MySQL type casting

https://dev.mysql.com/doc/refm[...]type-conversion.html
https://stackoverflow.com/ques[...]d-backticks-in-mysql


whOOt https://dev.mysql.com/doc/refm[...]ent-programming.html


2. Features

  1. normalize links to other language versions of a page
    • add table: lang_link[page_id, lang, target_id]
  2. add debug option to send error log into separate file + rotate logs
  3. add IP block to ban bad actors, bots

3. M17

open issues (add)

  1. relative linking seems not working for ((../ back to parent page)), it links to root level (?!)
  2. add delimiter before page handler (_properties)
    1. min_href()
    2. router.conf
  3. upload of file without extension -> broken
  4. empty body_r after page rename/relocation -> page needs re-rendering
  5. allow multi logins (on/off)
    1. add multi login warning: 'Jemand hat sich bereits an diesem Konto angemeldet'
    2. This account is currently being used in 1 other location at this IP ().
  6. add access throttling feature
    • limit the number of page requests by a single IP address within a given time interval
  7. add array for 'default' AND 'user' menu so both can used independently (create/edit menu sets)
  8. rewrite_mode setting in AP is pointless if it is overwritten in Setting class

4. Fix

  1. check for avoidable SQL roundtrip queries
  2. link() -> default: $anchor_link - should only active inside page_body (?)
    • additional check if its better to prefix the id="doc.deutsch.konfiguration"
      • to avoid unintentional mix with CSS settings
    • set anchor id only where needed, minimizes also size of attributes
  3. broken list in tree action if levels changes not in order - e.g. depth 1.2 -> depth 2.4
    1. show missing levels
  4. search?phrase="sourceforge.net" -> paging fails with "term to search"
  5. bug: news action takes all subpages - is this desired?
  6. improve search (open since ages), add some measures to improve relevance (time, size, user, filter, ...) and provide more and better meta data for search results
  7. implement rating hack (but without mandatory JS)
    1. https://www.youtube.com/watch?v=orPVEAipz2A
  8. add unique log message key to filter events (messages may differ)
  9. add regex for this->config['users_page']/[*]/
    • Yet the engine does not validate the namespace for the user cluster, so that nobody can create a page under /User except his own [UserName]
    • Then we can disallow random pages for the first level in the users cluster except the own [UserName].
    • The register action creates this page usually for the user.

5. Notifications

  1. Notifications

5.1. Notice digest

  • store events notices and compile digest for user [user|moderator|admin]
    • new user
    • comments
    • files
    • changes

6. Handler

  1. clone entire cluster is only available for Admins atm., it should also available for ...
  2. improve global upload settings
    1. allow groups
    2. set individual rights (only images, quota, etc. for a user, group)
  3. send page as email (like print)
  4. show: add option 'Flag as Spam/Inappropriate'
  5. show: Delayed Indexing delay_index
    • <meta name=“robots” content=“noindex,nofollow”>
  6. see upload subpage
    1. upload: check if the MIME type of the uploaded file matches the file extension
      1. https://www.owasp.org/index.ph[...]stricted_File_Upload
      2. https://www.acunetix.com/websitesecurity/upload-forms-threat/
      3. https://www.php.net/manual/en/[...]n.exif-read-data.php
    2. upload: add form field to chose another file name (?)
    3. upload: add accept attribute depending on config settings https://www.w3.org/TR/html5/fo[...]ml#attr-input-accept
  7. add meta handler namespace ['page', 'account', 'file', 'service']
    • This is the simplest way to standardize document locations and for the language-independent single instances of service pages, like login. Next step is the separated cluster for those pages, linked with prefix, for example, ((service:login)).
    • this can be easily done with the new URI router
    • handler/account/
  8. file: apply access restrictions for global files if Wiki is closed -> $
    1. add and enforce global Wiki mode, minimum access rights
    2. route global files only for registered users

7. Action

  1. template toc and tree

8. Formatter

  1. Search Highlighter
  2. (/Users/WikiAdmin UserSpace | WikiAdmin)) -fails on |
  3. <# #> adds <!--notypo--> on first and <!--/notypo--> on second appearance of double quote like class=""
    1. caused by race condition in wacko_preprocess() 
    2. <#<div class="" style="background:transparent; border:.1em solid #F66; border-left:1em solid #F66; box-sizing:border-box; margin:.5em 0; overflow:hidden; padding:.5em; text-align:left; width:auto;">Unter den Btrfs-spezifischen Anpassungen (1, 2) waren einige, die Latenz- und Stabilitäts-Probleme beseitigen, die bei knapp werdendem Speicherplatz auftreten können.</div>#>
2
<#<div class="" style="background:transparent; border:.1em solid #fcfce9; border-left:1em solid #fcfce9; box-sizing:border-box; margin:.5em 0; overflow:hidden; padding:.5em; text-align:left; width:auto;">Unter den Btrfs-spezifischen Anpassungen (1, 2) waren einige, die Latenz- und Stabilitäts-Probleme beseitigen, die bei knapp werdendem Speicherplatz auftreten können.</div>#>	
    3. <!--notypo--><div class="<!--notypo--> style="background:transparent; border:.1em solid #F66; border-left:1em solid #F66; box-sizing:border-box; margin:.5em 0; overflow:hidden; padding:.5em; text-align:left; width:auto;">Unter den Btrfs-spezifischen Anpassungen (1, 2) waren einige, die Latenz- und Stabilitäts-Probleme beseitigen, die bei knapp werdendem Speicherplatz auftreten können.</div>#><br />2<br /><#<div class=<!--/notypo-->" style="background:transparent; border:.1em solid #fcfce9; border-left:1em solid #fcfce9; box-sizing:border-box; margin:.5em 0; overflow:hidden; padding:.5em; text-align:left; width:auto;">Unter den Btrfs-spezifischen Anpassungen (1, 2) waren einige, die Latenz- und Stabilitäts-Probleme beseitigen, die bei knapp werdendem Speicherplatz auftreten können.</div><!--/notypo--><br />
  4. Wacko is spamming BRs, in between everything
  5. add option to hide protected links
    • You must login to see this link. Register now, if you have no user account yet.
  6. Error: Bad value 4 for attribute type on element ol.
    1. see $new_indent_type in wackoformatter -> error prone 
      •   1. hallo
    5. should not take the number but 1, same for i, I, a, A
    2. Block elements inside inline elements
    3. http://www.w3.org/TR/html5/gro[...]nt.html#attr-ol-type
  7. allow case insensitive matching of file links, e.g. File:image.jpg
  8. breaks quote 
    <[http://www.example.com]>
  9. <[ ]> eats blank line in quote, undesired
  10. broken nested quote 
    • <[block
<[nested quote]>
quote
]>

9. Admin Panel

  1. upload module 
    1. PAY ATTENTION TO SECURITY RISKS
 

Before adding random file/MIME types: please think about possible security issues.

For example HTML (.htm, .html), JavaScript (.js) and PHP (.php) file are types you’d better avoid as they can be “executed” on your server where you really would not want that to happen. For most of these kind of files, this should not be a problem though as these files are better off being compressed into a ZIP file anyway.

Only add file types that you REALLY need and that you are comfortable with.
  2. add module to filter, moderate and manage pages, comments, (files)
    1. see modules for content like pages
  3. recovery mode: CSS and images won't load
    • index.php: (!$db->ap_mode && RECOVERY_MODE) excludes static files!
      • !$db->ap_mode
  4. purge logs (TRUNCATE)
    1. log table
    2. referrers
    3. badbehavior 
    •  <thead class="data-head">
        <tr class="">
        </tr>
        [...]
    </thead>

<tbody id="table-section-one">
[...]
</tbody>

<tbody id="table-section-two">
[...]
</tbody>

10. Usability issues

  1. add double-click support for editing comments
  2. When should I use a select box instead of radio buttons?
    1. https://www.nngroup.com/articl[...]es-vs-radio-buttons/
  3. Not indicating an active form field
    • e.g. 
      textarea:focus {
    border: 1px solid red; }
    • You can use the ‘:focus’ selector on lots of elements, but it’s super handy when used on inputs and textareas to indicate that the field is active. Add CSS styling such as a highlighted border, or a subtle change to the background color.

Readings

  1. https://www.nngroup.com/articles/low-contrast/
  2. https://backchannel.com/how-th[...]eadable-a781ddc711b6

11. Ideas

  1. spam / badword handling -> bad_words($text) function
    1. https://en.wikipedia.org/wiki/Wordfilter
    2. https://stackoverflow.com/ques[...]ood-profanity-filter
    3. What you need is a good way for users to flag inappropriate content and a mechanism to deal with it swiftly. One way is to automatically hide/remove content if it's been flagged more than X times.
  2. rel="edit" -> https://tools.ietf.org/html/rfc686
  3. enforce ACL-Policy, e.g. set read to $, user can't overwrite the setting