3931.feature allow javascript to be inserted in head-section or at bottom of page. #361
Conversation
We need to run an upgrade step to define the new `webstats_head_js` field, but it would be nice if the UI looks reasonable before this. Various viewlets give: KeyError: 'Interface `plone.base.interfaces.controlpanel.ISiteSchema` defines a field `webstats_head_js`, for which there is no record.'
…have shorter code.
…ag in the head section.
|
@jladage thanks for creating this Pull Request and helping to improve Plone! TL;DR: Finish pushing changes, pass all other checks, then paste a comment: To ensure that these changes do not break other parts of Plone, the Plone test suite matrix needs to pass, but it takes 30-60 min. Other CI checks are usually much faster and the Plone Jenkins resources are limited, so when done pushing changes and all other checks pass either start all Jenkins PR jobs yourself, or simply add the comment above in this PR to start all the jobs automatically. Happy hacking! |
|
The GitHub Actions tests will keep failing because they need a checkout of the branch from I propose that we accept the failing GitHub Actions, and wait for the Jenkins jobs to pass. I have restarted the jobs of the three combines PRs, to test it with the most recent changes. They were already green earlier today. After merge, I can make a Alternatively we first merge |
Now using IHtmlHead viewlet manager.
…tags and renders up the remaining tags.
There was a problem hiding this comment.
See my remarks. There is some room for discussion - I would remove the filtering of UNWANTED_TAGS. (this needs some review of a security expert like @mauritsvanrees )
In any case at least the changelog entry needs to be updated to reflect what the implementation really does.
| @@ -7,9 +8,13 @@ | |||
| from zope.viewlet.interfaces import IViewlet | |||
|
|
|||
|
|
|||
| UNWANTED_TAGS = ["base", "title"] | |||
There was a problem hiding this comment.
I'm not sure, if this is really necessary. We're adding JavaScript and with that we can do anything, also unwanted stuff.
Maybe it should be up to the integrator to produce valid HTML?
If we keep it, I do like that e.g. <style> tags and the like are allowed. This gives an easy way of quickly adding a style messing with theming.
There was a problem hiding this comment.
The rational is that this is not security but more thinking about what a not so savy site manager, could fuck up :) Off course he/she should handle injecting javascript with care, like it was alway the case with that field in the control panel.
My code, because it injects in the head section (thanks to @yurj ) I got aware of the fact that we could prevent "user error" simply by filtering only script tag. A bit later I realized we can prevent double base or title tags at a low cost using lxml.
A pleasant second benefit is that with this code, even if the user makes a typo in the script, the viewlet will render valid HTML.
I'm not familar enough with the control panel code to write up a validator for this head field which would prevent adding base or title tags in the nicest possible way. Anyone would like to assist or give me some pointers?
Hope this helps to understand why it's there.
Nice idea, but it would be better in a validator so it is done once. We have not done that until now, so there is no hurry, but I do want this merged for a Plone release this week.
|
I have removed the lxml cleaning. Nice idea, but it would be better in a validator so it is done once. We have not done that until now, so there is no hurry, but I do want this merged for a Plone release this week." I copied the original branch to a new name, so we still have the code: |
|
As said before, GitHub Actions will fail until plone.base is released and available, we can ignore that. @jenkins-plone-org please run jobs |
|
I have released |
Fixes plone/Products.CMFPlone#3931