Purple is a color...
-
Continuing the discussion from PURPLE lS OBJECTIVELY THE BEST COLOR:
I don't suppose @PJH would go for https://github.com/discourse/discourse-bbcode-color
Er - I'm not too sure.
-
This post is deleted!
-
You could go for named colors and leave anything that's too close to background out of the list... but yeah, numeric references would need to be out the window.
-
Have you looked at the plugin? It's 15 lines.
No configuration possible.
-
I did now. Not too surprised at what I'm seeing. You'd have to modify the code and add a whitelist on matches[1].
Though if that whiteListTag does what I think it's doing it also allows bare <font> tags, which throws everything out of the window...
-
Should be easy to fork and change the last two lines...
Discourse.Markdown.whiteListTag('font', 'color', /\w+/); Discourse.Markdown.blackListTag('font', 'color', /white/);
assuming tag blacklist exists. Otherwise something like
Discourse.Markdown.whiteListTag('font', 'color', /(\s+|^)(?!white$)\w+/);
-
assuming tag blacklist exists.
[HA:pjh@sofa discourse]$ egrep -i "^[ \t]+(white|black)" ./app/assets/javascripts/discourse/lib/markdown.js whiteListTag: function(tagName, attribName, value) { Whitelists more classes for sanitization. whiteListClass: function() { Whitelists iframes for sanitization whiteListIframe: function(regexp) { [HA:pjh@sofa discourse]$
-
<font color="#FFF">
<font color="#FFFFFF">
-
Both fail: # is not a word character.
Neither is ( to do rgb(255,255,255)
-
that was rather my point. ;-)
they match the hex pattern and so you could use for white text.
-
No, they DON'T match the pattern. I removed the line that whitelisted the version starting with '#' as part of my suggested fix. It only allows named colors, and only non-white.
-
waht? you EVIL!
named colours aren't consistent across browsers!
-
grey
gray
-
named colours aren't consistent across browsers!
Neither are emoji ;)
you write a regex that allows hex colors but not those that can't be seen on a white background. I dare you :D
-
Just disallow all colors of the form #FFF*?
I buttume that should be sufficient.
-
-
-
Just disallow all colors of the form #FFF*?
#FOEAD6 is so much more readable than FFFFFF
-
-
Just disallow all colors of the form #FFF*?
I buttume that should be sufficient.#EFFFFF
I'll leave you to your two problems...
-
Yeah, cause there aren't <to hide text.>
[spoiler]None at all...[/spoiler]
-
Should be easy to fork and change the last two lines...
Discourse.Markdown.blackListTag('font', 'color', /white/);``` assuming tag blacklist exists. Otherwise something like `Discourse.Markdown.whiteListTag('font', 'color', /(\s+|^)(?!white$)\w+/);`</blockquote> I'd just whitelist, say, the eight most likely colours people want to use: `Red, orange, yellow, green, blue, purple, grey/gray, black` The good thing is, that set *is* consistent across browsers :smile: The regex is easy too: `/(red)|(orange)|(yellow)|(green)|(blue)|(purple)|(grey)|(gray)|(black)/`
-
The regex is easy too:
/(red)|(orange)|(yellow)|(green)|(blue)|(purple)|(grey)|(gray)|(black)/
Now you have two problems:
- Is that anchored right, or would
lightblue
match it? - Did you mean to use all those capturing parentheses? Really?
- Is that anchored right, or would
-
1, yes so would
i am a blue fish
2.
-
/^(red)|(orange)|(yellow)|(green)|(blue)|(purple)|(grey)|(gray)|(black)$/
- Unless there's some weird syntax fuckery in whatever Discourse is written in, they're just grouping parentheses
-
My regex is rusty from irregular use, but I think that still matches
i am a blue fish
because of precedence.
-
they're just grouping parentheses
Grouping parens capture by default: http://www.regular-expressions.info/refcapture.html
-
My regex is rusty from irregular use, but I think that still matches
i am a blue fish
because of precedence.
sigh...
/^((red)|(orange)|(yellow)|(green)|(blue)|(purple)|(grey)|(gray)|(black))$/
And this is why I try to avoid writing regexes if at all possible...
-
sigh...
/^((red)|(orange)|(yellow)|(green)|(blue)|(purple)|(grey)|(gray)|(black))$/
/^(?:red|orange|yellow|green|blue|purple|gr[ea]y|black)$/
And this is why I try to avoid writing regexes if at all possible...
QFT
-
And this, people, is why we don't use regex to solve problems.
Let this be (another) lesson...
-
fair enough, but about that plugin?
please?
i know it's possible to abuse for hidden text, but we already have that by nested <small> (or <big>, or any tag really) and html comments, and invalid tags....
so it's not like it's a new exploit.
-
Why not allow all color names except ones with the letter W in them?
-
aliceblue
-
This post is deleted!
-
You've blocked red.
-
Why should we get colors before we get #tags ?
Filed under: octothorpes are optional
-
Colours are easier?
-
Not on the eyes.
-
This post is deleted!
-
The best way to find out how this could be abused is to implement it.
-
The best way to find out how this could be abused is to implement it.
so what are we waiting for?
-
Promised a month of no updates? Lets install every plugin so we definitely have new bugs to complain about!
-
Lets install every plugin so we definitely have new bugs to complain about!
This is why I'm reluctant to add plugins. It'll just give Jeff another stick to beat me with.
-
This is why I'm reluctant to add plugins. It'll just give Jeff another stick to beat me with.
And if he does, just tell him where to stick it
-
I'm tempted to go through all of his flaming in the slow Discourse thread and flag all of his posts as off topic, since he's talking toxically about CSS bugs and not the original topic
-
All that'll do is spam me and @boomzilla with messages.
-
Which is the main reason I haven't. I've mentioned it to you now, which has pretty much made the point without annoying you guys
-
All that'll do is spam me and @boomzilla with messages.
it would also spam the target of the flag... unless admins can't see flags about their own posts?
-
it would also spam the target of the flag... unless admins can't see flags about their own posts?
It seems (from memory) like mods can't see the flags on their posts. At least, not until they've been adjudicated.
-
it would also spam the target of the flag... unless admins can't see flags about their own posts?
Ah - didn't realise the targets got messages about the first 2/3 flags.