Handle storage of javascript: URIs

[nodiscc]

Copied from sebsauvage#174

At https://github.com/shaarli/Shaarli/blob/master/index.php#L1479, add && !startsWith($url,'javascript:')

This allows to pervent bookmarklets' URL to be prepended with http:// prefix.
That keeps the bookmarklet link functional and dragable "as is" to the browser's bookmarks bar.

[e2jk]

OK

[Ginko-Aloe]

Hi @nodiscc,

I closed sebsauvage#174 as you suggested.

Just a question: what do you mean by a "temporary" fork? Sounds like a good idea to update shaarli so why a temporary repo ?

[nodiscc]

@Ginko-Aloe thank you for closing the old issue.

what do you mean by a "temporary" fork

See sebsauvage#191. @sebsauvage does not have time to maintain Shaarli, add fixes, merge pull requests and cleanup the bug tracker currently. This organization tries to keep the project alive and fix common problems/requests. We hope this situation is temporary, it would be better to have only 1 repository with the latest changes (as you can see here https://github.com/shaarli/Shaarli/network I think we're on the right path)

[Ginko-Aloe]

Ok, I got it :)

Glad to see shaarli live again !

[nodiscc]

Ongoing work in pull request #119. Please add your voice to the discussion there.

Edit: considering it's an enhancement and there is no agreement on how to properly add this in #119, I've removed the 0.9beta milestone so this doesn't block us for the release. You can still merge #119 in your own install if you desperately need this :)

[nicolasdanelon]

-1 to add javascript:*something*

[nodiscc]

@nicolasdanelon +1s an -1s without technical or usability argumentation spams everyone subscribed to this issue (mail notification, RSS notification and Github notification). Please refrain in the future, thanks.

[nicolasdanelon]

ok, sorry.
is not a good practice for coding. developers shouldn't code like that and we shouldn't be agree with this kind of practices. -1

[e2jk]

@nicolasdanelon It's not Shaarli's job to influence "coding practices".
With HTML5 "apps", Firefox mobile and all, if you just take a "all JavaScript is bad" approach you haven't got a bright future in front of you.
Plus, this doesn't have anything to do with the developers of the websites, since this would be used primarily to store bookmarklets.
Sorry, not a convincing argument to me.

[nodiscc]

Copied from #119

I've just re-read a bug report on the RequestPolicyContinued bug tracker. There are a lot of existing URI schemes aside from http: https: ftp: magnet: (the linked bug report references feed: mailto: magnet: mediasource: about: jar: gopher: UT2004: spotify: chrome-extension: floatnotes: greasemonkey: bank-id: and mooore) and I think we should allow users to bookmark them.

@e2jk has concerns about the security of this, and the workaround (popup) is IMHO not so good.

I propose allowing users to configure extra URI schemes they want to be able to store. Eg. a config array $GLOBALS['config']['EXTRA_ALLOWED_URIS'] = array('javascript:', 'mailto:', mediasource'); and loop over this for if (!startsWith($url,$allowed_uri).

Would that that be ok?

[nodiscc]

Another solution is to have have an option/checkbox (heh) in the tools dialog, checked by default:

[x] Only allow bookmarking http://, https:// and magnet: URIs