Todo List

1. R 6.0

Roadmap
dev repo [bitbucket.org]
ChangeLog

Main Focus: UTF-8 support and migration and PHP 8.0 compatibility

R6.0 is more or less R5.5 with Unicode support. Please look here for open issues from R5.5 .

1.1. PHP

https://wiki.php.net/rfc/void_return_type

PHP 8 only functionality

New PHP 8 only functionality will be not added until 2023 to ensure support for all instances running still on PHP 7.2 – 7.4.

Currently Supported PHP Versions

1.1.1. PHP 7.4

https://www.php.net/manual/en/migration74.php
"Trying to access array offset on value of type ..." warning for accessing null/bool/int/float/resource as if it were an array -> bugs:553

1.1.2. PHP 8.0

1.2. Features

UTF-8 support – Migration to Unicode

1.3. Core

notify_watcher(): add direct link to diff mode in email body
add option for Permissions-Policy HTTP response header (successor)
- https://www.w3.org/TR/permissions-policy-1/
- ```
permissions-policy: camera=(), microphone=(), midi=(), geolocation=(), interest-cohort=()
```
Feature-Policy HTTP response header (depreciated)
- https://w3c.github.io/webappse[...]cy-http-header-field
- ```
feature-policy: camera 'none'; microphone 'none'; midi 'none'; geolocation 'none'
```
it sucks to see again and over again all these random session_notice(s), add a option to turn it off for daily work.
COLLATE utf8mb4_bin for tag eats 𝓦𝓲𝓴𝓲𝓦𝓸𝓻𝓭𝓼 in LIKE '/%' query, without slash it finds it, whO_Ot
Tag Pattern Issues
1. ~~it is possible to create a page tag with a underscore, but then the page won't be found via run() function because _ is cast away~~ – DONE
2. Only alphanumeric signs at the start and end of the tag and each subtag should be allowed, furthermore the use of more then one dot (.) or hyphen (-) in consecutive order should be not allowed, to avoid conflict with wiki formatter syntax.
UTF-8 text must be checked for well-formedness
localize default date formats
improve and foster message sets
set return type declarations : (array | bool | float | int | mixed | string | void | ... )
- http://docs.php.net/manual/en/[...]returning-values.php
fix client side JS input validation patterns, see below under testing
1. ~~login and registration action~~ DONE
2. new, clone and rename handler
Replace all HTML-Entities except HTML special chars
1. nbsp; — to indent or add extra spacing to a paragraph, sentence, or another portion, better using CSS instead of multiple non-breaking spaces.
add option to disable hit counter
allow also login with email address instead of user name
move link and notifications functions in own class
- $this->msg->notify_user()
- $this->ref->link()

1.4. Installer

validate username
Nginx: installer seems to activate rewrite_mode ?
const CACHE_SESSION_DIR = '/tmp'; is defined in constant.php, and currently not set via the installer
1. use ini_get('session.save_path') as indicator, BUT we do not use the PHP build in session! -> write value, its a nuisance that the user currently has to do this on his own
2. bugs:558
offer to create the recovery_password within the install process
use dbal also for installer: $db->sql_query($sql)

1.5. Handler

auto-save function on the edit and _comments handler by applying the localStorage function
saved discarded comment due invalidated token to avoid data loss
add ability to remove / hide certain revisions via GUI
send notice on comment edit and make change visible in actions like it is done for pages, to not miss possible important content changes
increase the default size of the comment textarea in the default theme
add option to send a copy of the personal message also to the sender
edit: set custom textarea size (user settings/JS)
diff: add page title to diff
properties: add page tag below page title: Tag: Cluster/Page – looks ugly

wordbreak, how to break lines of Chinese, Japanese, or Korean

line-break: strict;
white-space: nowrap;
word-break: keep-all;

1.6. Action

registration: add option to enforce certain user name patterns
registration: add white and blacklist for allowed email domains
poll: improve actions and add templates

1.7. Formatter

add support for AVIF – GD lib support pending! -> LibGD 2.3.2
add lazy loading for <img> tags in wackoformatter and for thumbnails in gallery action – DONE
- <img loading=lazy>
- https://web.dev/browser-level-image-lazy-loading/
- Do we want an option to turn it off, global, per user or device?
```
str_replace("\xc2\xa0", " ", $string);
```
text inside ##code formatter## is processed as wikitext with possibly undesired results
- the text must be escaped to be taken as is
removes intentional left empty lines inside info formatter
parse also anchor with dash, e.g. tag#one-two
((../ Go Back)) goes back two levels, but should go to parent page only
interwiki links are not tracked
<ignore> tags must be removed for diff-mode 0
- check output other than show handler, the replace should be done in one place
relative links were not parsed in the context of the page they are included, what is the default behavior?
re-parsing all pages and links may result in wrong toc references, when the included page gets parsed after the page which includes them
- HOTFIX: save all included pages with wrong toc reference again, this will update body_toc

1.8. Cache

set new default cache_ttl values in config default and description in documentation
- seconds duration
  
  600 10 minutes
  
  1200 20 minutes
  
  3600 1 hour
  
  7200 2 hours
  
  18000 5 hours
  
  86400 24 hours
  
  2678400 31 days

seconds	duration
600	10 minutes
1200	20 minutes
3600	1 hour
7200	2 hours
18000	5 hours
86400	24 hours
2678400	31 days

Evaluate page cache

SELECT cache_lang, method, count(cache_id) AS n 
FROM `prefix_cache` 
GROUP BY cache_lang, method 
ORDER BY `cache_lang`, n DESC, method;

1.9. Admin Panel

support templates
resync links excludes pages from owner System, we may remove this restriction
restore: process may fail while restoring page with certain Unicode
- needs further investigation, backup seems to works while restoring may fail
- creates empty REPLACE queries for page table until it causes a script termination due timeout

1.10. Database

Listing JOINS with no index: log_queries_not_using_indexes
- https://dev.mysql.com/doc/refm[...]es_not_using_indexes

1.11. WikiEdit

add Unicode support
use only one popup for new link, having link and link description together
popup for tables
1. select rows and columns
2. set table header
select color for text and highlighting
resize textarea
undo / redo
JavaScript search & replace

1.12. Libs

1.13. Refactoring

1.14. Themes

CSS: [dir=rtl]
defer scripts defer></script>
default theme
- background body: #ebeef2

1.15. Ideas

add action with conditional redirect by browser language to pre-selected pages, e.g. ['fr'] --> "/Doc/Français"
moderation/remove/rename of sub pages without modifying the parent cluster
add extension for https://github.com/mermaid-js/mermaid
JSON Feed
Captcha dictionary in Russian as drop in

1.16. Documentation

add README.md file to action, handler and formatter folder with a short introduction and HowTo
add a page for Terms in WackoWiki
- cluster, free link, wikilink, etc.
add CSP help page
add example for resizing image from a external source ((http://example.com/image.png width=500 align=center))
- height, width
- align=[ left | right | center ]
write your own action
write your own formatter
write your own theme
improve translation
- Wacko Markup [en]
- Wacko Markup [de]
add example for rewrite with Nginx – HELP needed

1.17. Feedback

1.18. Testing

https://github.com/rectorphp/r[...]rview.md#codequality

Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf eval blockiert ("script-src"). 5 autocomplete.js:280:2

1.18.1. Test cases

-> Test cases

1.18.2. Debug

https://app.codacy.com/gh/WackoWiki/wackowiki/dashboard

http://phpmd.org

declare(strict_types=1);

For issues regarding Unicode please look in our R6.0 ToDo list.

R5.5 is no longer maintained, please upgrade to R6.0. Open issues will be fixed in R6 branch.

2. R 5.5

Roadmap
ChangeLog

Main Focus: HTML5 support, security related features

HTTP Strict Transport Security (HSTS)
Content-Security-Policy
Cookies, CSRF sectoken
https://www.owasp.org/index.ph[...]tication_Cheat_Sheet

2.1. MariaDB / MySQL type casting

https://dev.mysql.com/doc/refm[...]type-conversion.html
https://stackoverflow.com/ques[...]d-backticks-in-mysql

whOOt https://dev.mysql.com/doc/refm[...]ent-programming.html

2.2. Features

normalize links to other language versions of a page
- add table: lang_link[page_id, lang, target_id]
add debug option to send error log into separate file + rotate logs
add IP block to ban bad actors, bots

2.3. M17

open issues (add)

relative linking seems not working for ((../ back to parent page)), it links to root level (?!)
add delimiter before page handler (_properties)
1. min_href()
2. router.conf
3. abandon standard_handlers (?)
Guide to build templates
Permalink to page vs page version
CSS does not get routed in RECOVERY_MODE
relative time
1. global / user setting
2. where to use relative time and where not
3. different schemes
invalidate SQL and page cache (with common function) (?), which is also checking against config settings
add also footer after hard return, GUI consistency
how to check access privileges for a group, e.g. has_access() for $ -> moderate handler : locking
upload of file without extension -> broken
allow only common reasonable extensions for upload
1. blacklist MIME types -> implement
2. blacklist extension -> update
3. white list
add default max value in actions: news, blog, files, etc. -> use list_count as default
empty body_r after page rename/relocation -> page needs re-rendering
installer: rewrite_mode option ! – dysfunctional
allow multi logins (on/off)
1. add multi login warning: 'Jemand hat sich bereits an diesem Konto angemeldet'
2. This account is currently being used in 1 other location at this IP ().
add access throttling feature
- limit the number of page requests by a single IP address within a given time interval
add array for 'default' AND 'user' menu so both can used independently (create/edit menu sets)
rewrite_mode setting in AP is pointless if it is overwritten in Setting class

2.4. Fix

invalidate / purge only a sub set of the SQL cache (?), do we always need to purge the entire cache?
check formatting of log() function -> html / wacko formatting
check for avoidable SQL roundtrip queries
link() -> default: $anchor_link – should only active inside page_body (?)
- additional check if its better to prefix the id="doc.deutsch.konfiguration"
  - to avoid unintentional mix with CSS settings
- set anchor id only where needed, minimizes also size of attributes
add option help to action to show all parameters in a info box
1. echo 'show all available parameters with description'
broken list in tree action if levels changes not in order – e.g. depth 1.2 -> depth 2.4
1. show missing levels
search?phrase="sourceforge.net" -> paging fails with "term to search"
bug: news action takes all subpages – is this desired?
improve search (open since ages), add some measures to improve relevance (time, size, user, filter, ...) and provide more and better meta data for search results
~~add options to show/hide page related categories at the page bottom~~
- themes may overwrite these settings via $this->config['footer_tags'] = OFF
- allways ON as default for posts in the forum cluster
- do we need an additional option for the user?
get translation
1. put lang-strings for action and handlers into separate dynamically loadable lang-files
2. cache
audit comments, moderation handler
replace p tag in toc action -> avoid wrong p in p
revisit access right settings for forum posts and menu access
1. the menu won't show the page properties icon -> annoying
implement rating hack (but without mandatory JS)
1. https://www.youtube.com/watch?v=orPVEAipz2A
add unique log message key to filter events (messages may differ)
use deleted field to mark deleted pages, comments, files
- basics implemented for page and files
- open: rollback/restore procedure and handling of final deletion
disable global upload for users
1. only local
2. only for cluster
add regex for this->config['users_page']/[*]/
- Yet the engine does not validate the namespace for the user cluster, so that nobody can create a page under /User except his own [UserName]
- Then we can disallow random pages for the first level in the users cluster except the own [UserName].
- The register action creates this page usually for the user.

2.5. Notifications

Notifications

2.5.1. Notice digest

store events notices and compile digest for user [user|moderator|admin]
- new user
- comments
- files
- changes

2.6. Handler

clone entire cluster is only available for Admins atm., it should also available for ...
improve global upload settings
1. allow groups
2. set individual rights (only images, quota, etc. for a user, group)
send page as email (like print)
show: add option 'Flag as Spam/Inappropriate'
show: Delayed Indexing delay_index
- <meta name=“robots” content=“noindex,nofollow”>
see upload subpage
1. upload: check if the MIME type of the uploaded file matches the file extension
2. upload: add form field to chose another file name (?)
3. upload: add accept attribute depending on config settings https://www.w3.org/TR/html5/fo[...]ml#attr-input-accept
4. ~~upload: send a notify mail on upload~~ DONE
add meta handler namespace ['page', 'account', 'file', 'service']
- This is the simplest way to standardize document locations and for the language-independent single instances of service pages, like login. Next step is the separated cluster for those pages, linked with prefix, for example, ((service:login)).
- this can be easily done with the new URI router
- handler/account/
file: apply access restrictions for global files if Wiki is closed -> $
1. add and enforce global Wiki mode, minimum access rights
2. route global files only for registered users

2.7. Action

template toc and tree

2.8. Formatter

Search Highlighter
(/Users/WikiAdmin UserSpace | WikiAdmin)) -fails on |

<# #> adds  on first and  on second appearance of double quote like class=""

caused by race condition in wacko_preprocess()

<#<div class="" style="background:transparent; border:.1em solid #F66; border-left:1em solid #F66; box-sizing:border-box; margin:.5em 0; overflow:hidden; padding:.5em; text-align:left; width:auto;">Unter den Btrfs-spezifischen Anpassungen (1, 2) waren einige, die Latenz- und Stabilitäts-Probleme beseitigen, die bei knapp werdendem Speicherplatz auftreten können.</div>#>
2
<#<div class="" style="background:transparent; border:.1em solid #fcfce9; border-left:1em solid #fcfce9; box-sizing:border-box; margin:.5em 0; overflow:hidden; padding:.5em; text-align:left; width:auto;">Unter den Btrfs-spezifischen Anpassungen (1, 2) waren einige, die Latenz- und Stabilitäts-Probleme beseitigen, die bei knapp werdendem Speicherplatz auftreten können.</div>#>

<!--notypo--><div class="<!--notypo--> style="background:transparent; border:.1em solid #F66; border-left:1em solid #F66; box-sizing:border-box; margin:.5em 0; overflow:hidden; padding:.5em; text-align:left; width:auto;">Unter den Btrfs-spezifischen Anpassungen (1, 2) waren einige, die Latenz- und Stabilitäts-Probleme beseitigen, die bei knapp werdendem Speicherplatz auftreten können.</div>#><br />2<br /><#<div class=<!--/notypo-->" style="background:transparent; border:.1em solid #fcfce9; border-left:1em solid #fcfce9; box-sizing:border-box; margin:.5em 0; overflow:hidden; padding:.5em; text-align:left; width:auto;">Unter den Btrfs-spezifischen Anpassungen (1, 2) waren einige, die Latenz- und Stabilitäts-Probleme beseitigen, die bei knapp werdendem Speicherplatz auftreten können.</div><!--/notypo--><br />

Wacko is spamming BRs, in between everything
add option to hide protected links
- You must login to see this link. Register now, if you have no user account yet.
Error: Bad value 4 for attribute type on element ol.
1. see $new_indent_type in wackoformatter -> error prone
  - ```
    1. hallo
      5. should not take the number but 1, same for i, I, a, A
```
2. Block elements inside inline elements
3. http://www.w3.org/TR/html5/gro[...]nt.html#attr-ol-type
allow case insensitive matching of file links, e.g. File:image.jpg
breaks quote
```
<[http://www.example.com]>
```
((image.jpg)) shows images from image/ folder ???
<[ ]> eats blank line in quote, undesired
broken nested quote
- ```
<[block
<[nested quote]>
quote
]>
```

2.9. Admin Panel

add Check for Updates button in Admin panel: /Download/VersionCheck?
Synchronizing data: update comment count for page if out of sync
Querying the RIPE Database: https://apps.db.ripe.net/db-web-ui/#/query
1. https://rest.db.ripe.net/search.json?query-string=
2. user approval
3. event log
4. Bad Behavior

upload module

PAY ATTENTION TO SECURITY RISKS
 

Before adding random file/MIME types: please think about possible security issues.

For example HTML (.htm, .html), JavaScript (.js) and PHP (.php) file are types you’d better avoid as they can be “executed” on your server where you really would not want that to happen. For most of these kind of files, this should not be a problem though as these files are better off being compressed into a ZIP file anyway.

Only add file types that you REALLY need and that you are comfortable with.

user management
- deactivate / delete inactive users
  - criteria
  - actions
add module to filter, moderate and manage pages, comments, (files)
1. see modules for content like pages
recovery mode: CSS and images won't load
- index.php: (!$db->ap_mode && RECOVERY_MODE) excludes static files!
  - !$db->ap_mode
purge logs (TRUNCATE)
1. log table
2. referrers
3. badbehavior

use collgroup for col span % width

<colgroup>
  <col span="1" style="width: 10%;">
  <col span="1" style="width: 5%;">
  <col span="1" style="width: 5%;">
  <col span="1" style="width: 45%;">
  <col span="1" style="width: 15%;">
  <col span="1" style="width: 10%;">
  <col span="1" style="width: 10%;">
</colgroup>

 <thead class="data-head">
        <tr class="">
        </tr>
        [...]
    </thead>

<tbody id="table-section-one">
[...]
</tbody>

<tbody id="table-section-two">
[...]
</tbody>

2.10. Database

2.10.1. Check for SQL STRICT mode violations

Using GROUP BY and selecting an ambiguous column
Inserting the non standard zero date into a datetime column
Inserting a 20 character string into a 10 character column
Division by zero
Inserting a negative value into an unsigned column

so far

#1406 – Data too long for column 'description' at row 1
1. set HTML maxlength="DB_FIELDSIZE" for all (VAR)CHAR form field
  - suggested (JS hint – might differ in some cases – smaller, e.g. meta description 160, meta title 60) + database field size (mandatory enforcement)
  - JS hint: You have <strong>60</strong> characters left
2. set PHP length check before passing to INPUT / UPDATE
#1055 – 'dev.g.group_name' isn't in GROUP BY

SELECT
`DIGEST_TEXT` AS `query`,
`SCHEMA_NAME` AS `db`,
`COUNT_STAR` AS `exec_count`,
`SUM_ERRORS` AS `errors`,
(ifnull((`SUM_ERRORS` / nullif(`COUNT_STAR`,0)),0) * 100) AS `error_pct`,
`SUM_WARNINGS` AS `warnings`,
(ifnull((`SUM_WARNINGS` / nullif(`COUNT_STAR`,0)),0) * 100) AS `warning_pct`,
`FIRST_SEEN` AS `first_seen`,
`LAST_SEEN` AS `last_seen`,
`DIGEST` AS `digest`
FROM
 performance_schema.events_statements_summary_by_digest
WHERE
((`SUM_ERRORS` > 0) OR (`SUM_WARNINGS` > 0))
ORDER BY
 `SUM_ERRORS` DESC,
 `SUM_WARNINGS` DESC;

2.11. Usability issues

~~indicate page [language|permissions]~~
1. permissions: use icon and different colors
add double-click support for editing comments
When should I use a select box instead of radio buttons?
1. https://www.nngroup.com/articl[...]es-vs-radio-buttons/
Not indicating an active form field
- e.g.
```
textarea:focus {
    border: 1px solid red; }
```
- You can use the ‘:focus’ selector on lots of elements, but it’s super handy when used on inputs and textareas to indicate that the field is active. Add CSS styling such as a highlighted border, or a subtle change to the background color.
forms with checkboxes and options in lists
- e.g. ~~category handler~~ or users in admin panel
- assignment of form buttons
usage of new page handler
- seen in many fresh installs, users adding sub pages to HomePage/subpage
  - this is possible but is it really desired and understood, should we filter out system pages as pre-provided cluster in the /new [page] handler?

Readings

2.12. Extensions

https://github.com/google/code-prettify

2.13. Ideas

spam / badword handling -> bad_words($text) function
1. https://en.wikipedia.org/wiki/Wordfilter
2. https://stackoverflow.com/ques[...]ood-profanity-filter
3. What you need is a good way for users to flag inappropriate content and a mechanism to deal with it swiftly. One way is to automatically hide/remove content if it's been flagged more than X times.
rel="edit" -> https://tools.ietf.org/html/rfc686
enforce ACL-Policy, e.g. set read to $, user can't overwrite the setting
test PHPThumb alternatives
1. https://github.com/mosbth/cimage
Composer
https://github.com/openpgpjs/openpgpjs
https://highlightjs.org/
https://www.w3.org/TR/css3-page/
1. https://www.smashingmagazine.c[...]-for-print-with-css/

2.14. Themes

new mobile ready theme / layout -> on hold (we got a new template engine!)
- https://getbootstrap.com/
- https://getbootstrap.com/docs/[...]tarted/introduction/
https://developers.google.com/web/fundamentals/
https://www.w3.org/Style/Examples/007/leaders

Flexbox vs Grid

Flexbox: content dictates layout
Grid: container dictates layout (to some extent)

Flexbox is great, it just isn't the best thing for overall page layouts.
Flexbox and grid play well together, and are a huge step forward from the float & table hacks they replace. The sooner we can use them both in production, the better.

CSS Varibles

CSS colums for index <div class="gimme-columns"><ul>

 
.gimme-columns {
	columns: 20em 3;
	column-count: 3;
	column-width: 20em;
}

.sticky {
  position: sticky;
  top: 0;
}

default theme

change blockquote
- box-shadow: 0 0 6px rgba(0, 0, 0, 0.5);
add option to hide $this->config['site_name'] in theme header, e.g.: WackoWiki: To Do R5.5 -> To Do R5.5
min-height: 200px for .article, #page

3. Unscheduled

3.1. Most Annoying Bugs

3.2. Core

Extended Acls
if ($method && $method != "show") unset($wacko->config["youarehere_text"]);
/Users/DidierSpaier/ProposedSpecificationsForLanguagesHolding
rewrite search action

3.3. Formatters

cleanwacko-> strip also file: links and formatter options (hl php ...)

4. Requests

add function InviteGroup (allow/deny add/remove)
Admin can upload unlimited
Mediawiki and other wiki converter
1. Mediawiki supports wackowiki but wackowiki cant import mediawiki!!!. Some media wiki themes recommended.
2. Support for mediawiki.
[formatting="default|wacko|html|simplebr"]
make GUI elements optional via the user settings [GUI] [] bookmarks [] breadcrumbs [] etc.
add new db field ~~'menu_tag' and~~ 'sef_tag' for each page
receive all messages combined in one digest
1. daily at
2. once per week on
3. once per month, on the day number
option for allowed actions in comments
move antispam.conf as badword to config
SHA digest of page content (body)
ODT and PDF page export done by handler — the exported document should contain: page ID + page revision hash, page revision date, page title and page text, there should be page numbers in the document also; for pages with multiple Includes — all mentioned only for main page
Search page by page ID and a pair of page ID + page revision hash to let users search the certain documents fast to edit.