As Oliver said, it’s a lot more than just markup… there’s custom CSS, and even Javascript.
Is it at all possible to allow embedding of entire pages, such as via <object> tags? (In my case, I would then create a special view (toggled via a URL parameter) onto the blog post page—something my blogging software lets me do easily—that would show the content only, without the sidebar, comment section, site header, etc.; and then embed that view into the LW post.)
Also, at least for me, click-to-enlarge images and slide galleries weren’t essential to enjoying your post.
Good to hear! :)
(However, it really is a lot of different custom stuff.)
Isn’t allowing <object> an invitation for XSS?
Yes, that’s true, but I am not suggesting allowing <object> tags with arbitrary parameters—only specific ones (i.e., ones where the data attribute is the URL of a trusted site). Then again, I am no security expert!
With something like this, what seems like a good way to implement it is to have a “moderation queue” of some sort (akin to some blogs having a “comments must be approved to be posted” system). So a user who wants to use certain features (such as the aforesaid <object>-based embedding) would post their post, and then it would sit in the mod queue until a moderator looked at it and verified that it wasn’t malicious, that the user in question was someone they trusted not to be malicious, etc.
Anyway, I don’t insist that this solution is the best, or even good; if it can’t be made to work for security reasons, well, that’s that. If it could be made to work, though, then it (or something similar) would be very convenient!
If mods allow that, they make all of LW hackable by you, by anyone who can guess your password, and by anyone who can hack your site at any point in the future. I think that’s way too much trust.
As Oliver said, it’s a lot more than just markup… there’s custom CSS, and even Javascript.
Is it at all possible to allow embedding of entire pages, such as via
<object>tags? (In my case, I would then create a special view (toggled via a URL parameter) onto the blog post page—something my blogging software lets me do easily—that would show the content only, without the sidebar, comment section, site header, etc.; and then embed that view into the LW post.)Isn’t allowing <object> an invitation for XSS?
Also, at least for me, click-to-enlarge images and slide galleries weren’t essential to enjoying your post.
Good to hear! :)
(However, it really is a lot of different custom stuff.)
Yes, that’s true, but I am not suggesting allowing
<object>tags with arbitrary parameters—only specific ones (i.e., ones where thedataattribute is the URL of a trusted site). Then again, I am no security expert!With something like this, what seems like a good way to implement it is to have a “moderation queue” of some sort (akin to some blogs having a “comments must be approved to be posted” system). So a user who wants to use certain features (such as the aforesaid
<object>-based embedding) would post their post, and then it would sit in the mod queue until a moderator looked at it and verified that it wasn’t malicious, that the user in question was someone they trusted not to be malicious, etc.Anyway, I don’t insist that this solution is the best, or even good; if it can’t be made to work for security reasons, well, that’s that. If it could be made to work, though, then it (or something similar) would be very convenient!
If mods allow that, they make all of LW hackable by you, by anyone who can guess your password, and by anyone who can hack your site at any point in the future. I think that’s way too much trust.
Yeah, fair point. Ok, back to the drawing board, I suppose!