Is post styling broken?

TheCarbyneUniverse · May 20, 2020, 10:30pm

It’s most likely because the DevForum changed a plugin that they use for formatting posts. They’re probably not using Discourse’s plugin, but rather something else that doesn’t support most div styling.

Elttob · May 20, 2020, 10:31pm

Interesting. Is there any reason in particular for this?

TheCarbyneUniverse · May 20, 2020, 10:36pm

Hmm. No idea, really.

But I did find another topic that talks about format breaking in old posts:

And one of posts said that they changed plugin, which was the answer. The reason–I guess no one knows for sure. Maybe they didn’t include certain features that other plugins did or something along those lines. I think they’re trying to get as many ways of formatting in one plugin.

buildthomas · May 20, 2020, 10:38pm

No that’s not related, Kunena is forum software, not a Discourse plugin. Before Oct 2015 we used to have a Kunena-based forum on a different URL. Those posts with old formatting are from Kunena that weren’t properly converted over.

cxmeels · May 20, 2020, 10:42pm

I’m pretty sure the DevForum uses MarkdownIt, which basically just applies the styles it would normally apply to transformed markdown. I don’t think MarkdownIt supports any form of custom styles. I might be wrong.

Automationeer · May 20, 2020, 10:42pm

It was probably disabled to stop people being obnoxious, or broken by mistake with formatting plugins.

You are, in fact not correct.

cxmeels · May 20, 2020, 10:49pm

I didn’t put that very well. I meant, I think it strips style and script tags from HTML. I’m aware some tags have deprecated attributes which can be used for styling.

HTML is enabled

Automationeer · May 20, 2020, 10:51pm

You can’t use style or class on the DevForum; again, likely to stop obnoxious behaviour and security vulnerabilities.

Elttob · May 20, 2020, 10:55pm

I’m intrigued as to what security vulnerabilities you could run into with CSS styling. For things like offsite images/tracking pixels I’m pretty sure there’s already countermeasures in place.

edit: all the applicable vulnerabilities I found depend on JS or an insecure content policy, e.g. CSS Security Vulnerabilities | CSS-Tricks - CSS-Tricks

cxmeels · May 20, 2020, 11:04pm

I presume the server-side sanitiser gem is still used, so it could be that Roblox have purposely blacklisted certain HTML tags and attributes:

github.com

discourse/discourse/blob/main/docs/SECURITY.md

## Discourse Security

We take security very seriously at Discourse. We welcome any peer review of our 100% open source code to ensure nobody's Discourse forum is ever compromised or hacked.

### Where should I report security issues?

In order to give the community time to respond and upgrade we strongly urge you report all security issues privately. Please use our [vulnerability disclosure program at Hacker One](https://hackerone.com/discourse) to provide details and repro steps and we will respond ASAP. If you are unable to use Hacker One, email us directly at `team@discourse.org` with details and repro steps. Security issues *always* take precedence over bug fixes and feature work. We can and do mark releases as "urgent" if they contain serious security fixes.

**Please note:** Due to a significant number of low quality security reports sent via email, we are unlikely to act on security reports sent to us via email unless they come from a trusted source, and include details on the vulnerability and step by step instructions to reproduce it. Theoretical reports without a proof of concept are not accepted. We strongly recommend you follow the Hacker One submission protocols.

For a list of recent security commits, check [our GitHub commits prefixed with SECURITY](https://github.com/discourse/discourse/search?o=desc&q=SECURITY&s=committer-date&type=Commits).

### Password Storage

Discourse uses the PBKDF2 algorithm to encrypt salted passwords. This algorithm is blessed by NIST. Security experts on the web [tend to agree that PBKDF2 is a secure choice](https://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage).

**options you can customize in your production.rb file**

- `pbkdf2_algorithm`: the hashing algorithm used (default "sha256")
- `pbkdf2_iterations`: the number of iterations to run (default 64000)

This file has been truncated. show original

On its default settings it removes style tags and attributes.

Elttob · May 20, 2020, 11:08pm

There’s a relevant issue on their github it appears: Custome Sanitizer: allowing style attributes fails · Issue #130 · rgrove/sanitize · GitHub

edit: and this one too! Allow all CSS properties? · Issue #118 · rgrove/sanitize · GitHub

cxmeels · May 20, 2020, 11:09pm

Good catch. I didn’t look in the issues. That might be the case.

Elttob · May 20, 2020, 11:11pm

Yeah it might just be a configuration issue. If so, then it appears all it’ll take to solve is enabling style attributes and configuring the css whitelist to a safe subset

cxmeels · May 20, 2020, 11:39pm

I actually quite like the borders on this. Makes the fact that it's a navigation very distinct.



Reclass	Imiji	Atmos	Pick	InCommand

Atmos is a plugin that makes it easy to find, preview and apply professional skyboxes and lighting configurations in your game.

Once installed, you can browse through a range of different skyboxes in the Skybox Browser…

Also, if you want to test anything in future without making a new public thread, you can just message @discobot.

FxllenCode · September 17, 2020, 1:16am

Sorry for the necrobump- This issue still exists, to a certain extent. I have found the the combination of HTML tags right before/after markdown and/or richtext breaks the post styling. Here is an example:

Example

![image|690x301](upload://qhYAxICQ70pJFhD44JGyn2xEb1s.png)

Here is what I wrote:

![image|690x301](upload://qhYAxICQ70pJFhD44JGyn2xEb1s.png) 
<hr>
![image|690x301](upload://qhYAxICQ70pJFhD44JGyn2xEb1s.png)

Very simple yet broken. As someone who uses HTML/CSS a lot when writing posts, this is extremely frustrating and also embarssing when I look back and see this instead the image of the issue:
![image|690x301(upload://qhYAxICQ70pJFhD44JGyn2xEb1s.png)

I don’t know why this is happening, but if it’s at all possible to fix, that would be great. Thank you.

sjr04 · September 17, 2020, 1:19am

It’s not broken? You just need to put a new line.

FxllenCode · September 17, 2020, 1:24am

I tried this, apologies for not making it clear, but it does not work when inside a summary. Here is the correct code:

[details="Summary"]
![image|690x301](upload://qhYAxICQ70pJFhD44JGyn2xEb1s.png) 
<hr>
![image|690x301](upload://qhYAxICQ70pJFhD44JGyn2xEb1s.png) 
[/details]

Here is it without:

sjr04 · September 17, 2020, 1:25am

[details="Summary"]
![image|690x301](upload://qhYAxICQ70pJFhD44JGyn2xEb1s.png) 

<hr>

![image|690x301](upload://qhYAxICQ70pJFhD44JGyn2xEb1s.png) 
[/details]

works fine for me when I add the newline.

FxllenCode · September 17, 2020, 1:26am

Hm, that’s strange. I attempted to do that earlier with no results. It works fine now. I am going to look into this.

Automationeer · September 17, 2020, 5:46am

It’s not difficult. You can’t mix markdown and HTML, so you need a new line gap between them.