A couple of new additions for the new release, recommended
Web applications are obviously what QCubed helps in and when we talk web, it also whispers 'security please' and then the 'ease of use' is always there. I would like to recommend two projects which could be included into the QCubed core. This will make QCubed quite heavier than it is, by size but also make sure that we have it close to what web frameworks need to provide. I am sure the experts here know about it, still, here they are:
1. HTMLPurifier:
XSS attacks are one breed of threats where not the websites, but users suffer. It however, is the responsibility of the developer to make sure that his app does not not spoil the user experience by letting things out of control. As people around here might be already knowing, HTMLPurifier is a great tool here. To configure and use it is really easy - especially when you have to think of making your own parser!
Although it can be used to filter both input and output, filtering the input is enough as long as not too many mistakes have been made on the developer's part otherwise. Removal of suspicious HTML and filtering in other ways (a big one is to limit the tags one can use in a textarea) is great with HTMLPurifier. I am currently using it in many places and it is working fine, really. Here is a sample how I am using it:
<?php
$config = HTMLPurifier_Config::createDefault();
$config->set('Core.Encoding', 'UTF-8'); // replace with your encoding
$config->set('AutoFormat.AutoParagraph', true);
$config->set('HTML.Allowed', 'p,b,strong,i,em,u,i,code');
$purifier = new HTMLPurifier($config);
$FilteredInput = $purifier->purify($this->txtBodyInput);
?>Easy to use and set up. It would be great if developers could just create a new class based on TextBox which could handle the setting up of config. How about doing something like:
<?php
$this->txtInput->Filter = true;
$this->txtInput->FilterConfig->set('AutoFormat.AutoParagraph', true);
$this->txtInput->FilterConfig->set('HTML.Allowed', 'p,b,strong,i,em,u,i,code');
// UnFiltered text
$InputText = $this->txtInput->Text;
// Filtered text
$FilteredInputText = $this->txtInput->FilteredText;
?>NOTE: It would be just as good enough to not include it into the core framework and allow users to use it as above, just by adding HTMLPurifier to the QCubed: this would keep the core lightweight for normal pages where purification is not needed, as HTMLPurifier is a HUGE and HEAVY library. For the same reason I did not extend the QTextBox class.
As a solution to above problem, it might also be possible to put this in the getter function:<?php
case 'FilteredText': require_once(__INCLUDES__ . '/path/to/htmlpurifier.auto.php');
$purifier = new HTMLPurifier($FilterConfig);
$this->txtFilteredText = $purifier->purify($this->Text);
return $this->txtFilteredText;
break;
?>And obviously you have to put in the logic for mapping the setters for the API if it is done the way I have used it above. The good thing about the above approach would be that the HTMLPurifier library is not loaded until the 'FilteredText' is requested.
2. CKEditor:
Rich text input is one of those thing you find yourself in need of at a LOT of times. User signature, comments and quite a few other. I settled down with CKEditor as it was pretty easy to work out with. One might find some other editor, if it suits but for me CKEditor is good enough, at least for now.
QCubed, however does not have something like QRichTextBox or something like that. I am using CKEditor in the end of the templates so that the page is first rendered and then CK is asked to convert one textarea (well, that would be a QTextBox with MultiLine text mode) into rich text box. However, I am unable to figure out how to make a control out of it and hence, am not able to render a rich text editor on an AjaxAction call (which is something which would have had made my app so much more cool). Here is how I am using the same for now. If one could create a control which worked with AjaxAction with CKEditor, it would be just so great!
<?php
/* CKEDITOR */
// Create a class instance.
$CKEditor = new CKEditor();
// Configure it
$config['toolbar'] = array(
array( 'Source', '-', 'Bold', 'Italic', 'Underline', ),
array('Find','Replace'),
array('Cut','Copy','Paste','PasteText','PasteFromWord','-','Undo','Redo')
);
$config['width'] = 650;
$config['entities'] = false;
// Path to the CKEditor directory.
$CKEditor->basePath = '../path/to/ckeditor_dir/';
// Replace a textarea element with an id (or name) of "textarea_id".
$CKEditor->replace('textarea_id', $config);
/* CKEDITOR END */
?>Yes, I know that there is a plugin with FCK editor but, FCK editor is quite OLD and new version has a lot better API. It could be just so great if CKEditor and its functionality be a part of QCubed. You can use it the way above but it will not work with QAjaxAction or QAjaxControlAction.
The reason I choose CK is that I have used almost a dozen (the full list supported by Drupal) Rich text editors and all of them sucked up the SEO as well as the output HTML at times making them purely pathetic. YUI and CKEditor were the best. While YUI is great, it is one really HEAVY download at 12 MB approx and I would not use it. CKEditor was just as great with a lot more features, faster load time and easy-to-use setup as well as usage and obviously a lot smaller in size. Hence I would say CK is the best JS based editor over there.
I am using both of them and setting them up was a bit difficult in the beginning. Also, in my humble view, a Web app development framework must facilitate both the HTML purification mechanism as well as a rich text editor control.
If I were to give away my wishlist, it would include this:
1. A QAutoComplete TextBox control into the core (not as a plugin)
2. A rich text editor (such as CKEditor).
3. A HTML Purification mechanism and I could not find anything better than HTMLPurifier (please do suggest something else if there is).
4. A way to use JQuery from the Google CDN (or other sources on the internet).
5. QCubed does not function well if you do not specify any Database adapter. One might just be needing the QForm , QControl and other awesome features of QCubed without having to connect to a database unnecessarily!! Having the 'necessity' of having a Database connection in a web framework does sound a little stupid - it should work if you do not use any database connection. Think of it like this: Someone who is using MongoDB as the backend (Mongo is not supported by QCubed) might just want to use the QForm and QControl libraries. Why ask the person to have a RDBMS installed and working without any reason there?
There are a few others but I see they are being taken care in the tickets. All-in-all, QCubed is just going great, but like everything else, it has to improve, hence my 2 cents. I hope someone would just take notice :)
In case there is someone who is ready to work with the HTMLPurifier and CKEditor, I would like to help as far as I can. If these two features get added into QCubed, you could just call it a 3.0 release? :-)
Regards,
Vaibhav
Vaibhav, thanks so much for your interest and a detailed proposal.
Some comments on what you suggested:
1) HTMLPurifier: I think we absolutely must integrate something like this into the core. Today, QCubed does a very weak job of detecting cross-site scripting attacks (see the logic in ParsePostData() in QTextBoxBase). I would much rather use a great framework like HTMLPurifier to do this.
Do you want to spearhead the integration of HTMLPurifier into the framework? It would have to replace the logic inside ParsePostData and fully respect settings such as QCrossScripting::Allow.
2) Rich text editor: I would love to first see a plugin that integrates the CKEditor into QCubed. If it turns out to be super popular, we can easily integrate it into the core later. As the first step, though, I would like to keep the core very lean (and only have it include pieces that 90% of the developers will use - ex. cross-site scripting is a must for everyone, that's why HTMLPurifier would be in)
3) Google CDN for jQuery: I'm very passionate about this as well, and I just submitted a patch for it: http://trac.qcu.be/projects/qcubed/ticket/362. Please review/test!
4) QAutocomplete textbox in the core: why? Why isn't a plugin not enough? Is plugin installation painful? I thought it's just a couple of clicks.
5) QCubed working without a DB adapter configured: sounds great. Wanna take this on?
@5: What are the problems when using QCubed without DB?
I am using QCubed that way and I do not face any problems (I commented out the database part in configuration.inc.php).
The only thing I can think of is that filling and filtering a QDatagrid needs more work.
@mike: The last time I did that, I got a bunch of code on my screen so posted that. I will try and see if that works here.
@Alex:
1. I would love to do that. But there are couple of things which I must tell straight away. Once the holidays are over, I am gonna get hell busy. So things might end up nowhere. This is one reason why i put the code here indicating how to use it. I am really sorry but I do not get time. The second thing is - I do not do too much fiddling with the core because I do end up messing things too many times - I am a procrastinator at times when I start discovering. So it is gonna take time.
In my humble opinion, a more developed way would be to do something like this with the QTextBox:
<?php
$this->txtSomeInput = new QTextBox($this);
$this->txtSomeInput->Purification = true;
$config = HTMLPurifier_Config::createDefault();
$config->set('Core.Encoding', 'UTF-8'); // replace with your encoding
$config->set('AutoFormat.AutoParagraph', true);
$config->set('HTML.Allowed', 'p,b,strong,i,em,u,i,code');
$purifier = new HTMLPurifier($config);
$this->txtSomeInput->PurificationConfig = $config;
// LATER IN THE CODE
$filetred_data = $this->txtSomeInput->FilteredText;
?>
This will make sure that we have a one-on-one config variables of HTMLPurifier onto QCubed. This will make sure that when developers (users) using QCubed fall into problems, they could ask at the HTMLPurifier Forums without problem (because that is where those problems should belong). I would say that is the way community should integrate the external libraries into the core.
If I have the support from the community about this (which includes me taking a bit more of time), I would like to proceed in this direction.
2. As for Rich Text editor => I am sorry. I think this is going to be messy without some mentoring help who could lend me a helping hand to begin with.
3. That ticket has two patches. Are both to be applied or only the 'v2' patch? Though I consider myself good with javascript, I never opened the JS files of QCubed core and the first patch makes changes to the core JS file.
4. Plugin is great. Installation is easy as well. However, it is possible that a developer unaware of the Plugin might never discover it. Moreover it is one of those things which is too much needed (and at many occasions, 'expected') by people (ever since Google Suggestions showed up), so I suggested it to be in the core. Nothing more to it!
5. I think mike has told the solution. I will test it with a test setup in time and let you know.
Regards,
Vaibhav
1) On HTMLPurifier: I recommend against going with the $this->txtSomeInput->Purification = true; approach. Every control in QCubed needs to be protected against cross-site scripting by default. There is already a set of constants that define the level of protection for each field (QCrossSiteScripting). We should use those.
Also, I most definitely understand that you may not have time to finish this. QCubed is a community and we are all volunteers. Please know that while others might jump in to help, if you don't take your work to a certain level of completeness, folks won't jump in and help. That's the reality of open source software. Once you have the basics working, others (me included) will of course be happy to help you polish it.
2) On making plugins: I would encourage you to look at the "plugin ecosystem" series of tutorials (starts here: http://examples.qcu.be/assets/_core/php/examples/plugins/about.php) and then look at how the FCKEditor plugin is put together. This should get you started. If questions come up, we will of course be happy to answer them here on the forum!
3. Only apply the second patch. Note that there are no modifications to the JS files in that patch. The way you can help is by testing it in your application!
4. Plugins: I very much agree that the developer might never find out about the existence of the plugins. That, to me, means that we need to increase the visibility of plugins - make sure that all QCubed developers know about them by putting the link to the plugin repository front and center in the QCubed installation.
Placing everything inside the core to solve the discoverability problem isn't a great solution (it creates dependencies for the release schedule which are undesirable).
Thanks again for being so active in the QCubed community! Great to have you here!
About #4, QAutocomplete is already in the core. Am I missing something?
@alex: I will try starting off with HTMLPurifier for now. I understand the fact that I need to get it to some level of completeness before calling others. However, by 'support from community', i actually was talking about 'being able to bear with any latencies'. Also, I have taken note of the QCrossScripting and will try to accomplish the task using that. However, as a matter of fact, I never looked into that class (in face, never into the enumerations at all, thanks to the lack of API documentation :( ) and I would request you to explain its working shortly, better with an example.
I won't be working on the CKEditor for now, only the HTMLPurifier - which is much more required than CKEditor (personal view).
/*****************
[EDIT] : The JQuery patch is working for me. Thanks a ton for that!
*****************/
Regards,
Vaibhav
Great to hear that. We of course will respect your schedule - we all understand that you are a volunteer, too. We'll support you along the way!
I am trying to figure out QCrossScripting but am not able to do much. A little confused about how this fits in and where. Please explain. :(
PLEASE, SOMEONE TELL ME WHAT QCrossScripting is? I want to know this in order to make the integrations as requested. I tried to figure out but could not understand one bit! I mean yes, the class has got a couple or so constants but what is the use or the role of them? Alex? :|
I think is a enum class with possible value entries for text or input controls. Later this enum class works for the validation of that control.
http://api.qcodo.com/index.php/QCrossScripting/Constants
I think got relation to prevent the Cross Scripting hack to not allow html tags and create new content on page or redirects to dangerous sites.
Vaibhav,
jmirancid is correct, that's an enum class. Since PHP has no native support for enums, in QCubed we emulate it with an abstract class with only constants in there.
The enums in QCrossScripting are used in two places, in QTextBox and QWriteBox (which extends QTextBox). The former has it set to QCrossScripting::Deny by default, while the latter is set to QCrossScripting::Allow by default. And the usage is clear too: when it's Deny, htmlentities() is applied to the posted data, otherwise the posted data is used as is.
This litterally took me 3 minutes to find out. Which makes me guess you might not be using good tools. I suggest you use an IDE that allows easy usage searching and other quick navigations (my favorit is PhpStorm).
Hope it helps.
Ooops, a small correction.
QTextBox does htmlentities when its CrossScripting property is set to QCrossScripting::HtmlEntities.
For QCrossScripting::Deny, it checks the presense of some tags in the posted data, and throws an exception if it finds any.
I am using ECLIPSE with PDT and I think that is a great enough tool. PHP storm is a paid program and I dont have a credit card or even money to buy that. Anyways, I believe I was doing things the other way round. I should have just run a text search on my workspace (I feel kind-of dumb :P ). I will look into how I could make HTMLPurifier go into that.
Hey vakopian,
You took 3 minutes to find the places it is used in, I took 3 hours to integrate it, test it and post it back in the trac and forum :P. How about me having some credit? ;) Saving my little proud moments apart, your post was of much help. So was of jmirancid. Thanks guys :)
I am creating a new thread for this to bring it to Google's search results more effectively:
http://qcu.be/content/safeguard-your-qcubed-based-app-xss-htmlpurifier-i...
Not to start an IDE flamewar, but I bless the day I moved from PDT to PhpStorm :-)
BTW, they offer free licenses for open source projects, so if you become QCubed core contributer you could get one of the licenses from the pool we currently have. I think we originally had 10, but I'm not sure how many of them are currently in use.
Vaibhav,
Sorry if my comment about the 3 minutes came off wrong. The credit is definitely not mine, it's the IDE's. And that's all I wanted to bring across, that there are much better tools out there.
Anyway, truly, the credit is all yours, for bringing the whole issue up, following it up with good code and for a nice explanantion in the forum page. Your efforts and contribution are very much appreciated.
And of course, I already commented on the ticket with my suggestions :-), please take a look.
Well, I was not fighting over IDEs, just mentioning my thoughts. And yes, the credit thing too was a light-hearted comment which I believe you took a little seriously :P.
Anyway let's leave that part of the topic. And thanks for appreciating my work. :)