Dev meeting 2016 05 24

Agenda

Actionable Items

Log

<gawainlynch> ping Bopp carsonfull gawainlynch phillipp rarilaDroid rixbeck rossriley SahAssar slick0 
<Bopp> pong
<rarilaDroid> peng
<phillipp> ping
<phillipp> damn, i even failed to write "pong"
<gawainlynch> Haha
<gawainlynch> SahAssar is "here" but not here
<Bopp> I'd like some input on #5339
-[BoltIssueBall]/#boltcms- #5339 [open] [RFC] Allow or disallow `<script>` in content.  https://github.com/bolt/bolt/issues/5339 
<gawainlynch> :fire:
<Bopp> one hand: "don't babysit the users" 
<rarilaDroid> Bopp: input
<gawainlynch> #karma rarilaDroid 
<[BoltIssueBall]> BoltKarma for rarilaDroid is now 1
<Bopp> other hand: "Keep editors from shooting themselves in the foot"
<Bopp> so.. 
<Bopp> I'm :+1: on making that RFC .
<rossriley> is here
<gawainlynch> SahAssar: ping… this is one that would affect you more than anyone in the team
<gawainlynch> Evening, rossriley 
<rossriley> I’m personally negative on that….
<phillipp> +1 too
<gawainlynch> As in don't remove?
<rarilaDroid> Bopp: ct option?
<rossriley> well, is the propsal to remove or just allow configuring removal?
<Bopp> I've though about a _legitimate_ usecase to insert <script> in actual content.. and couldn't think of something that didn't sound hackish
<phillipp> i am for script tags
<rossriley> bopp, embed forms, hubspot embeds, tracking tags… all sorts 
<Bopp> rossriley: if it's up to me: Strip <script> by default, unles specified. 
<gawainlynch> OK… so as it is explained to me by Bopp (just now in the room), there was a Charlie Foxtrot from an editor copy/pasta things
<gawainlynch> Bopp: So I think configurable makes the most sense 
* rixdroid (~rixbeck@5401D4E9.dsl.pool.telekom.hu) has joined #boltcms
<gawainlynch> Evening, rixdroid 
<rixdroid> hey guys
<gawainlynch> So opinion seems to be "configurable"
<gawainlynch> rossriley & carsonfull: Do either of you have any work you want to land soon… I think we can open feature next week
<gawainlynch> s/can/should/
<Bopp> yes, configurable (because people don't like removing features), but the _default_ should be off.
<Bopp> as in: No ghost-pasting script tags for editors, unless explicitly allowed
<gawainlynch> Bopp: One caveat, can we have the "null" value be "allow" and add it to config.yml.dist so that new installs pick it up
<Bopp> yes
<Bopp> or, wait. 
<gawainlynch> `allow_tags: false` in the dist file
<Bopp> allow_tags will remain the same
<Bopp> this would be separate from that. 
<gawainlynch> `allow_script_tags` then :-D
<gawainlynch> …or what-evs
<Bopp> https://github.com/bolt/bolt/blob/release/3.0/app/config/config.yml.dist#L205
<Bopp> there's this. 
<rossriley> gawainlynch: I do, yes I think sortable select / sortable relations should be good to go in next week at some point
<Bopp> but it doesn't apply to wysiwyg fields yet
<gawainlynch> rossriley: Cool… Let's call Monday go on all new features
<gawainlynch> Bopp: Can you expand on that in the issue then
<gawainlynch> Anyone have anything else to add?
<Bopp> Ok, for 3.1 i have my work cut out.
<Bopp> I'll expand on the [RFC] for the tags thing, but include some other related things, like filtereing/cleaning for wysiwug, and related settings. 
<gawainlynch> Failing anything else… SahAssar I am going to steal your thunder
<gawainlynch> </meeting>