The set of filters in the module is great. I wonder why did you opt to do a negative filter for the iframe and not a positive one, so that people can just add iframe support with a filter instead of turning that off through one. All other filters are "positive" in the module in that they add features.

CommentFileSizeAuthor
#6 lightbox-filters.png129.42 KBkoyama
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

stella’s picture

stella CreditAttribution: stella commented

Actually all the other filters don't do anything - they just provide a help tip. The enabling / disabling of these filters doesn't change anything functionality wise :/

All of the processing of the "rel" anchor attribute is done in the javascript. The javascript code has no idea whether (a) a particular filter is enabled / disabled for a particular node or (b) whether it is even in node content and not automatically generated by cck, image gallery, a block ,etc.

As the javascript has no way of determining the source of the content and hence the input filter, it just processes the entire page contents and every "rel" attribute that matches lightbox, lightshow, lightframe, lightmodal or lightvideo it processes. This means that when lightbox2 is enabled, the administrator has no way of preventing users from using these rel attributes in comments, etc - it means untrusted users can create this type of content too.

In the case of rel="lightframe", an iframe is generated in the page. Some concerns were raised about allowing users to enter in links which caused an iframe to be opened when clicked, so I added an input filter that would remove "rel" attributes that matched lightframe.

If there's a more elegant solution, I'd be more than happy to add it, so please let me know!

Cheers,
Stella

Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy commented
Title: Why "Disable Lightbox iframe filter"? » Make filters actual "settings" of what is supported in an input format
Category: support » feature

Ah, understood that the JS just looks for rel attributes, but why not remove all known rel attributes if none of the filters are enabled and only keep those rel attributes which are turned on? Sure, that would not protect places where input filters are not used, but nodes, blocks, user signatures, etc. are all covered by input filters, so most if not all common places a user might enter content is covered.

Turning off certain functionality is both a performance and security/filtering thing. Given that the module is so full featured I could imagine that people might need to turn off certain features for certain (untrusted) input formats. Eg. on a news site, newsroom authors would be able to add lightbox items, but commenters would not. I understand it would require an additional setup step to configure input formats before people can actually use the module.

Initially I also thought that you could watch for input format supported text using the video functionality for example, and only include video support if you need it, but it is true that non-input format supporting areas might also have video support requirements (eg. site missing or footer in D6), so that is not clearly doable.

Retitled and moved to feature request due to scope change.

stella’s picture

stella CreditAttribution: stella commented

Well because the video functionality requires so much extra js code and would be a performance hit, it's in its own separate js file and there's an option on the lightbox2 admin page to disable this functionality if not needed. That way the file isn't loaded on sites that don't need it and the lightvideo rel attributes are ignored.

Removing rel attributes if no filters are enabled - I know I've had very little sleep, and so I may be missing something obvious, but how do I remove the rel attributes from links if no filters are enabled? If no Lightbox2 filter is enabled, then won't lightbox2's hook_filter() not be invoked? If it's not invoked then how do you remove rel attributes?

Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy commented

You've had more sleep that I did as it seems. You are right, if no filters are enabled, you could not intervene in the processing. And since the module is by default supporting all rel attributes used on the page, we cannot just depend on secondary hooks like nodeapi to filter node contents (when no filters are enabled). So yeah, I don't see a clean way to do this ATM.

stella’s picture

stella CreditAttribution: stella commented
Status: Active » Postponed

Marking as postponed until we can find a more elegant solution.

Cheers,
Stella

koyama’s picture

koyama CreditAttribution: koyama commented
FileSize
lightbox-filters.png129.42 KB

If those filter checkboxes for the input format have no effect anyway

  • Lightbox G2 filter
  • Lightbox filter
  • Lightbox iframe filter
  • Lightbox modal filter
  • Lightbox slideshow filter
  • Lightbox video filter

I would prefer that they were simply removed (like in attached screen shot).

For example, I have been now been playing around with those checkboxes for several hours not understanding why I couldn't disable the Lightbox. Until I came across this post.

I understand that there won't be any filter tips, but the documentation suffices, I think.