On 5 Mar 00, at 1:43, Peter Thoeny wrote:

> Disabling HTML in general plugs the security hole, but
> puts some limits on the system. It depends on the
> community if this is acceptable or not. For our internal
> deployment of TWiki as a knowledge base for support it
> is not.
>
> Any comments?

I've been thinking about this problem a bit and am pretty torn right
now between the costs/benefits of allowing html.

From my limited experience, I think a larger danger than actual
malicious code (ala scripts, etc) is just broken html. We will often
get confusion when a <table> tag goes unclosed within the wiki
text (it messes up the entire page formatting and usually results in
a very broken document). In addition, with stricter html parsers
coming online (i.e. xhtml) it might be nice to be able to
control/enforce better behaved html documents.

It may be beneficial to come up with wiki markups for the remaining
commonly used html tags to eliminate both security and
malformed document problems. If anything, its the wiki markups
that distinguish wiki from other collaborative document systems
(aka domino, etc). So, even if you don't want to use them all, it
may be good to standardize on a comprehensive set of wiki
markups just to maintain cohesion.

As far as TWiki in particular is concerned, I think the big decision
is how easily does the code need to make switching between wiki
"modes". Adding markups to the parser is relatively easy.
Removing tags is a bit more work. Right now, you have to go into
the wiki parser and comment out each tag you don't want. In
addition, you must explicitly change the code if you don't match
the "allow html" mode that TWiki ships with. Should this be a set
of flags in the wikicfg instead? Or maybe a security mode setting,
high security meaning no html tags, large wiki tag set, medium
being limited html tags (tags from a "white list" of safe html),
medium wiki tag set, and low security being allow any html tags
and use the medium wiki tag set?

-iain