-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option for custom js (like custom css) #661
Conversation
* Add a new 'js' flag to indicate you want to embed a file named 'custom.js' which should exist at the root of the wiki
Hey, I wasn't sure if you guys would even be interested in this, but I thought I'd send a pull request to see, and at least open the conversation. I think it would help a lot in adding the ability to customize the experience of using gollum for end users. |
I agree. I think as long as random wiki people can't insert JS, then it should be fine. |
I approve. An aside, it may be appropriate to have the Gollum inject a javascript
The rationale being currently, any javascript running will have to do |
Doesn't this enable anyone with edit abilities on the wiki to inject JS? I think we'd want some way to ensure it's only possible to be set by the user who starts the gollum server. |
I agree that makes sense. |
@dekimsey +1 on the javascript object idea @bootstraponline well it would require you to create a page named custom.js, and I thought that regular edit permission did not allow adding arbitrary files to the wiki? If this were true, it would also be true for custom.css currently. |
It is an interesting question. For some, editing the wiki == access to the A solution might be to have the served file be locked to a particular Danny. The mind of the believer stagnates. It fails to grow outward into an On Tue, Mar 19, 2013 at 6:38 PM, bootstraponline
|
I think it lets you create arbitrary files. Injecting CSS is not great, however injecting JS is an entirely different level in terms of potential surface area for attackers. |
Injecting css let's you inject js. They are both vulnerabilities.
|
How do you load JS from CSS?
I agree. The same fix will work for both. I wonder if we need an admin mode or some other creative way to manage permissions. |
I found this on StackOverflow. Browsers are fun. |
Yup. Danny. The mind of the believer stagnates. It fails to grow outward into an On Tue, Mar 19, 2013 at 7:54 PM, bootstraponline
|
Add option for custom js (like custom css)
|
Add option for custom js (like custom css)
which should exist at the root of the wiki