Patch #1415956 from Bryan Carbonnell adds CSS for styling purposes and changes the HTML to be valid XHTML1.0. It still needs some tidying up, and it still uses tables for layout, but that patch takes us halfway there.
It presents one big compatibility issue that will probably need to be fixed. The patch removes the colour settings (WEB_HEADER_COLOR, WEB_ERROR_COLOR, WEB_ADMINITEM_COLOR, etc.) and replaces them with CSS class declarations.
It's probably unacceptable to break the use of these settings, so there needs to be some compatibility fix. Colours could be substituted into the .css file somehow, or a 'style' attribute could be added as well as a 'class' attribute. Does anyone have suggestions for what to do?
Patch URL: <http://sourceforge.net/tracker/index.php?func=detail&aid=1415956&group_id=103&atid=300103>
[Aside: are there many patches in the tracker that could be useful? I don't know how actively they've been getting processed. Does there need to be a push to process bugs and patches?]
--amk
A.M. Kuchling wrote:
Patch #1415956 from Bryan Carbonnell adds CSS for styling purposes and changes the HTML to be valid XHTML1.0. It still needs some tidying up, and it still uses tables for layout, but that patch takes us halfway there.
For the moment, I can make at least IE7/firefox "ignore" the tables via css commands, so I could make a lot of progress with just this patch.
The next thing I would do/like to see happen is a minimum-markup table-free version, as that would make UI experimentation much easier.
~ethan
A.M. Kuchling writes:
[Aside: are there many patches in the tracker that could be useful?
"Could be useful", definitely. I've used several at one time or another.
But typically they're unsatisfactory as-is because they hard-code the intended behavior. OTOH, they are non-trivial to integrate as options, so neither the original submitter nor the core devs do so. Nor us downstream users. :-(
I don't know how actively they've been getting processed.
My impression is that many get considered when first submitted, but then languish indefinitely due to the above kind of problem.
Does there need to be a push to process bugs and patches?
I suspect getting more modularity, making it easier to turn interesting ideas into generally available options, should be given precedence. Especially since that's where Barry is headed in Mailman 3 AIUI.
If the Triumvirate could free up some time for it, an MvL-like review-for-5-reviews policy, even if only a limited-time offer, could help clean up the backlog, though.
On 3-May-07, at 9:03 PM, A.M. Kuchling wrote:
Patch #1415956 from Bryan Carbonnell adds CSS for styling purposes and changes the HTML to be valid XHTML1.0. It still needs some tidying up, and it still uses tables for layout, but that patch takes us halfway there.
It does look very promising! I'm a big fan of going to XHTML, and
given that it sounds like some of the templating systems are going to
want clean, closed tags, this seems like the best way of keeping our
options open while still moving forwards.
It presents one big compatibility issue that will probably need to be fixed. The patch removes the colour settings (WEB_HEADER_COLOR, WEB_ERROR_COLOR, WEB_ADMINITEM_COLOR, etc.) and replaces them with CSS class declarations.
It's probably unacceptable to break the use of these settings, so there needs to be some compatibility fix. Colours could be substituted into the .css file somehow, or a 'style' attribute could be added as well as a 'class' attribute. Does anyone have suggestions for what to do?
Some thoughts with positive (+) and negative (-) notes:
Have the CSS generated by a CGI (which could then use these variables
if they're available).
- extra processing for each web request
- could lay groundwork to make it possible to change settings on a
per-list (or per virt-domain) basis rather than site-wide.
Use a Makefile to generate the CSS once from this file (and leave
note in file saying that further config is in CSS)
- processing happens once
- can't be applied easily as a patch, requires an actual rebuild to
take effect
Use a "style" attribute as well as a "class" one:
- might make conversion from one type of settings to another easier
- just going to look inexplicable and hackish later, potentially make
it more awkward to do CSS-only skins
Not clear to me what would be best just yet...
Terri
Terri Oda wrote, On 05/05/2007 05:24 PM:
It presents one big compatibility issue that will probably need to be fixed. The patch removes the colour settings (WEB_HEADER_COLOR, WEB_ERROR_COLOR, WEB_ADMINITEM_COLOR, etc.) and replaces them with CSS class declarations.
It's probably unacceptable to break the use of these settings, so there needs to be some compatibility fix. Colours could be substituted into the .css file somehow, or a 'style' attribute could be added as well as a 'class' attribute. Does anyone have suggestions for what to do?
Some thoughts with positive (+) and negative (-) notes:
Have the CSS generated by a CGI (which could then use these variables
if they're available).
- extra processing for each web request
- could lay groundwork to make it possible to change settings on a
per-list (or per virt-domain) basis rather than site-wide.
Perhaps that part of the CSS could be included inline in the already cgi-generated html header. It will probably only be a couple of lines. If placed before inclusion of custom css then customizers can override it if they want to. (That would be very close to how it is done in Plone.)
IMHO that addresses the only minus of this solution.
Just a thought...
/Mads
On Sat, May 05, 2007 at 11:24:27AM -0400, Terri Oda wrote:
Have the CSS generated by a CGI (which could then use these variables
if they're available).
- extra processing for each web request
- could lay groundwork to make it possible to change settings on a
per-list (or per virt-domain) basis rather than site-wide.
The extra processing may not be too bad if we set an Expires: header on the CSS output. I imagine most crawlers, well- or badly-behaved, don't crawl the stylesheet linked from HTML pages.
Use a Makefile to generate the CSS once from this file (and leave
note in file saying that further config is in CSS)
- processing happens once
- can't be applied easily as a patch, requires an actual rebuild to
take effect
I don't think this choice would work very well; requiring a rebuild would break backward compatibility. I don't know if that breakage would be OK for Mailman 2.2 or 3, but it's surely off-limits for a 2.1 point-release.
Use a "style" attribute as well as a "class" one:
- might make conversion from one type of settings to another easier
- just going to look inexplicable and hackish later, potentially make
it more awkward to do CSS-only skins
- May also make the Python code messier; instead of generating a div or span with a class attribute, it will need to generate a style attribute as well.
- On the other hand, we could skip generating the style attribute if the corresponding mm_cfg setting is None. That provides a nice path for people to switch from setting colours in mm_cfg to providing their own custom CSS.
Either the first or third choice would work for me. I'd be inclined to try #3 first and see how well it works; maybe it's not that messy in practice.
--amk
A.M. Kuchling wrote:
On Sat, May 05, 2007 at 11:24:27AM -0400, Terri Oda wrote:
Have the CSS generated by a CGI (which could then use these variables
if they're available).
- extra processing for each web request
- could lay groundwork to make it possible to change settings on a
per-list (or per virt-domain) basis rather than site-wide.The extra processing may not be too bad if we set an Expires: header on the CSS output. I imagine most crawlers, well- or badly-behaved, don't crawl the stylesheet linked from HTML pages.
I do not think this is a good idea. It is better to have a CSS file that just declares the colors and then use those definitions elsewhere. Backward compatibility would involve reading the color definitions from mm_cfg, deleting them from the config, and writing them into the css file.
There are very few good reasons to put dynamic markup in CSS. Designers are very comfortable with CSS files. Having to edit a python file to set colors is very much out of their comfort zone.
It is possible to have multiple classes per element, eg class="aLegacyClass aClass". This has excellent support across browsers. Changing this list dynamically is the best way to change styles "in code".
Any time we need multiple style-states for one element, we should have multiple classes. If the set of states exceeds that which should reasonably be typed out - like the location if one is allowing dynamic dragging- then the style manipulations should be achieved by javascript that may be partially dynamically generated or better by static javascript that gets whatever server data it needs via JSON.
Use a "style" attribute as well as a "class" one:
We should never use the style attribute if we can at all avoid it, as there is no (easy) way for a CSS stylesheet to override the style attribute. The exception is manipulating element.style in javascript.
~ethan
A.M. Kuchling writes:
I don't think this choice would work very well; requiring a rebuild would break backward compatibility. I don't know if that breakage would be OK for Mailman 2.2 or 3, but it's surely off-limits for a 2.1 point-release.
Going to CSS at all is presumably off-limits for a 2.1 release. I think it would be a very bad idea to constrain the design to be backwards compatible to a non-CSS solution, but not doing so is unfair to people who expect a 2.1 release to be a 2.1 release.
IMO, the point of doing the CSS branch off of 2.1 is so that people who want to experiment with CSS but aren't core Mailman developers can avoid working with experimental distribution code. Sorta like you don't have the plastic surgeon doing a facelift while the orthopedic guy is slicing into your knee. But hoping for a 2.1 release with CSS is just dreaming.
Terri Oda writes:
Use a "style" attribute as well as a "class" one:
- might make conversion from one type of settings to another easier
- just going to look inexplicable and hackish later, potentially make
it more awkward to do CSS-only skins
-1. This is precisely the kind of thing we need to avoid at all costs. You aren't going to decrease the pain of deprecating colors- in-mm_cfg.py by postponing it, so may as well release CSS-only as 2.2 as soon as CSS is ready for release (and have at least one more 2.1 release for those who aren't ready to go to 2.2).
In the transition, I think that we should definitely use the cascade. The multiple class method that Ethan describes is a good way to provide a deprecation path over time as the code matures, although I wonder if it's even necessary. In a different dimension, we probably should have a mailman.css analogous to Defaults.py. Site and list admins never touch this. Then there would be a site.css, analogous to mm_cfg.py, and finally a $list.css for each list, in order of increasing preference. For the sake of virtual hosts, site.css should either be kept in a site-specific folder, or given a site-specific name.
As Ethan points out, these should be "real" files, not inline CSS in the HEAD element generated by the cgi. It should be possible to generate simple site and list stylesheets (eg, changing colors) for the default templates through-the-web, but designers will want to deal with CSS, not Python code. Note that with a little care, the same module that does the t-t-w CSS generation could probably accept an mm_cfg.py and (a) use the variables defined in mm_cfg.py to generate site.css and (b) remove them (warning loudly that setting them in the future will have no effect).
Finally, we could have a check_config script analogous to check_perms, but it would examine mm_cfg.py and the list configs, looking for variables that are deprecated and variables that Mailman doesn't even use, odd values and stuff like that.
On 5/6/07 5:00 AM, "Stephen J. Turnbull" <stephen@xemacs.org> wrote:
A.M. Kuchling writes:
I don't think this choice would work very well; requiring a rebuild would break backward compatibility. I don't know if that breakage would be OK for Mailman 2.2 or 3, but it's surely off-limits for a 2.1 point-release.
Going to CSS at all is presumably off-limits for a 2.1 release. I think it would be a very bad idea to constrain the design to be backwards compatible to a non-CSS solution, but not doing so is unfair to people who expect a 2.1 release to be a 2.1 release.
IMO, the point of doing the CSS branch off of 2.1 is so that people who want to experiment with CSS but aren't core Mailman developers can avoid working with experimental distribution code. Sorta like you don't have the plastic surgeon doing a facelift while the orthopedic guy is slicing into your knee. But hoping for a 2.1 release with CSS is just dreaming.
Terri Oda writes:
Use a "style" attribute as well as a "class" one:
- might make conversion from one type of settings to another easier
- just going to look inexplicable and hackish later, potentially make it more awkward to do CSS-only skins
-1. This is precisely the kind of thing we need to avoid at all costs. You aren't going to decrease the pain of deprecating colors- in-mm_cfg.py by postponing it, so may as well release CSS-only as 2.2 as soon as CSS is ready for release (and have at least one more 2.1 release for those who aren't ready to go to 2.2).
In the transition, I think that we should definitely use the cascade. The multiple class method that Ethan describes is a good way to provide a deprecation path over time as the code matures, although I wonder if it's even necessary. In a different dimension, we probably should have a mailman.css analogous to Defaults.py. Site and list admins never touch this. Then there would be a site.css, analogous to mm_cfg.py, and finally a $list.css for each list, in order of increasing preference. For the sake of virtual hosts, site.css should either be kept in a site-specific folder, or given a site-specific name.
As Ethan points out, these should be "real" files, not inline CSS in the HEAD element generated by the cgi. It should be possible to generate simple site and list stylesheets (eg, changing colors) for the default templates through-the-web, but designers will want to deal with CSS, not Python code. Note that with a little care, the same module that does the t-t-w CSS generation could probably accept an mm_cfg.py and (a) use the variables defined in mm_cfg.py to generate site.css and (b) remove them (warning loudly that setting them in the future will have no effect).
Finally, we could have a check_config script analogous to check_perms, but it would examine mm_cfg.py and the list configs, looking for variables that are deprecated and variables that Mailman doesn't even use, odd values and stuff like that.
In general I agree with Ethan and Stephen, designers want CSS to be in its own file (for good reasons) and don't want to have to work in python or XML files if they don't have to. Since we're concerned about maintaining compatibly with 2.1 users that have modified the templates using the current limited options, we shouldn't do a great deal under 2.1. But I think we can do more in 2.1 than Stephen proposes. If we don't edit the HTML content of the existing pages much, we can attach a CSS file that would allow people to do a great deal to customize their sites without needed to worry about breaking old behaviors. Ethen's ideas about how to handle dynamic setting of classes or style sheets might overcome any conflicts that might occur. Even if we didn't go that far, just linking in an empty style-sheet, or creating an option in mm_cfg.py to link your own in would help some users (the user that started the discussion on mailman-users that in turn sparked this conversation was hoping for a feature of that nature). It would leave people in a very hackish position, but at least they wouldn't have to hack the python to do what they want. Certainly adding something simple like that wouldn't cause problems for exiting 2.1 users that don't want to use it.
For 2.2 we could move to better XHTML/CSS design, which would break backward compatibility with old templates. Since it would be a more significant version change that would be acceptable to most people. At that point I think we need to remove all the current python-based settings and move them all into CSS.
If we feel the need to have good through the web support I would suggest for mailman 3.0 we build it in a manner similar to the garland theme in Drupal 5 (which provides a color wheel to select the colors, and then generates a CSS file). You can still edit the CSS directly if you'd like, but it'll do any colorization work for you. I'd also suggest that we avoid putting template links into mm_cfg.py settings, rather use a predefined path like mailman currently does. A theme switcher probably doesn't make sense in Mailman, but being able to change a the look and feel just by updating a CSS file would be a big plus (no restarting mailman). It would be easy enough to define a structure that would allow for CSS files for a given list to live in a particular directory.
Finally I'd like to suggest we avoid using JavaScript until we absolutely have to (a color picker would require it, other ideas might as well), since there isn't any JS in the code base at the moment, and its introduction will add complexity. Also, we'll probably want to find a good library to work with to help set coding standards and allow for some AJAX calls for some elements.
Aaron
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On May 8, 2007, at 9:16 AM, Aaron Crosman wrote:
In general I agree with Ethan and Stephen, designers want CSS to be
in its own file (for good reasons) and don't want to have to work in
python or XML files if they don't have to. Since we're concerned about maintaining compatibly with 2.1 users that have modified the templates using
the current limited options, we shouldn't do a great deal under 2.1. But I
think we can do more in 2.1 than Stephen proposes.
I'm not so sure. I feel very uncomfortable making /any/ non-bug-fix
changes to 2.1, perhaps even limiting them to critical bug fixes that
address security or reliability issues. Better (IMO) to fairly
quickly get a conservative 2.2 out sooner, along the lines I
described in an earlier message.
If we feel the need to have good through the web support I would
suggest for mailman 3.0 we build it in a manner similar to the garland theme in
Drupal 5 (which provides a color wheel to select the colors, and then
generates a CSS file). You can still edit the CSS directly if you'd like, but it'll
do any colorization work for you. I'd also suggest that we avoid putting
template links into mm_cfg.py settings, rather use a predefined path like
mailman currently does. A theme switcher probably doesn't make sense in
Mailman, but being able to change a the look and feel just by updating a CSS
file would be a big plus (no restarting mailman). It would be easy
enough to define a structure that would allow for CSS files for a given list
to live in a particular directory.
For MM3.0, we should use the 80/20 rule. IOW what /out of the box/
will give most people the best value without complicating the code,
or our security or reliability story? Keep in mind use cases like
cPanel where people will not have shell access. In that case,
allowing for CSS editing t-t-w seems like a reasonably powerful and
safe trade-off. More intensive web page editing, I'm not so sure.
The other thing to keep in mind is that MM3.0 will be modular enough
that people could build more extensive integrations with true content
management systems or t-t-w editing environments.
Finally I'd like to suggest we avoid using JavaScript until we
absolutely have to (a color picker would require it, other ideas might as
well), since there isn't any JS in the code base at the moment, and its
introduction will add complexity. Also, we'll probably want to find a good library
to work with to help set coding standards and allow for some AJAX calls for
some elements.
Our basic design requirement here has been that JS is okay in the
default u/i as long as the usability degrades gracefully when it is
not enabled (either because the site disables it or the browser has).
- -Barry
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin)
iQCVAwUBRkCR53EjvBPtnXfVAQKgcQP9HpB9BLbBHYoe4aMGINZCL5iO1whYIQKg uS1G3cGMOjYyBkt5jc7a5N9/jKkmrLU8BJ++yBZXBzvxFEbOn3rlSatpnvQ9Kh6+ cXrQJhpqhJgVYuNpNQSu/RjGVTYYMCOghzKigxjLcpgs+m2n7Wizkly4PsObPR6j vzq/gP+5YmA= =7nhD -----END PGP SIGNATURE-----
On Tue, May 08, 2007 at 11:06:14AM -0400, Barry Warsaw wrote:
I'm not so sure. I feel very uncomfortable making /any/ non-bug-fix
changes to 2.1, perhaps even limiting them to critical bug fixes that
address security or reliability issues. Better (IMO) to fairly
quickly get a conservative 2.2 out sooner, along the lines I
described in an earlier message.
I have an idea for a proposed conservative approach for 2.1:
Add two mm_cfg settings: CSS_FILES and JS_FILES, while are lists (alternatively, whitespace-separated strings):
CSS_FILES = ['/css/mailman.css', '/css/custom.css'] JS_FILES = ['/js/switcher.js', '/js/foo.js']
Make generated HTML pages contain <link rel=stylesheet> for each of the CSS files, and <script src='<js file>'> for each JS file.
Wrap the body of Mailman-generated pages in <div id="mailman">...</div>.
That's it.
This lets people apply CSS and JS customizations to all of Mailman's pages, and the #mailman lets them include MM-specific CSS directives without breaking their existing CSS. JS files are included because people might use them for style switching. Mailman still wouldn't use any JS itself.
Possibly we could apply the portion of the patch that generates tags like <br /> instead of <br>, but since we wouldn't be adding a DOCTYPE to the pages, it wouldn't have much effect. Doing <br /> would make life easier for people including MM-generated HTML within an XHTML page, but I doubt very many people do that.
For 2.2, add:
Restructure HTML to use semantic markup and CSS instead of tables.
Add a DOCTYPE to the HTML output and check for validity. Hand-written HTML in list configs. might break validity; IMHO that shouldn't be our problem to fix. We might choose HTML 4.01 validity to avoid imposing XHTML correctness on such hand-written text.
If the MM developers are OK with taking out the WEB_*_COLOR config settings, remove them with no concern for compatibility.
Install a static mailman.css file.
Or we can do the conservative approach for 2.2 and the larger rewrite for 3.0.
--amk
---------- Original Message ----------- From: "A.M. Kuchling" <amk@amk.ca>
I have an idea for a proposed conservative approach for 2.1:
Add two mm_cfg settings: CSS_FILES and JS_FILES, while are lists (alternatively, whitespace-separated strings):
CSS_FILES = ['/css/mailman.css', '/css/custom.css'] JS_FILES = ['/js/switcher.js', '/js/foo.js']
<snip>
+1! Good idea!
Bob
A.M. Kuchling wrote:
I have an idea for a proposed conservative approach for 2.1:
Add two mm_cfg settings: CSS_FILES and JS_FILES, while are lists (alternatively, whitespace-separated strings):
CSS_FILES = ['/css/mailman.css', '/css/custom.css'] JS_FILES = ['/js/switcher.js', '/js/foo.js']
Just to be pedantic, as long as we make sure they appear in the order they're presented; you may also wish to do something like:
CSS_FILES = [{'href':'/css/mailman.css', 'rel': 'stylesheet', 'media': 'screen'}, {'href':'/css/custom.css','rel':'alternate','media':'screen'}]
of course, at that point you're practically spelling the entire link, but at least the 'rel' is commonly used.
- Wrap the body of Mailman-generated pages in <div id="mailman">...</div>.
That's it.
great! +1
Possibly we could apply the portion of the patch that generates tags like <br /> instead of <br>, but since we wouldn't be adding a DOCTYPE to the pages, it wouldn't have much effect.
Pretty please lets add this doctype: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
and fix singleton tags (though *note* you cannot emit <script> tags as singletons). There is a lot of CSS that simply Does Not Work without a doctype. This is particularly true for Internet Explorer 6 (and I assume 7) which basically doesn't turn on the CSS bugfixes since IE 5 if you don't issue a doctype.
It is actually ok if the hand-written HTML is still tag-soupish; as long as we don't include an XML prolog the browsers still handle simplistic well-formedness errors, and even more severe ones don't give you the "I refuse to render" problem that you get if you use an XML prolog. The main difference is the CSS rendering path used.
For 2.2, add:
Restructure HTML to use semantic markup and CSS instead of tables.
Add a DOCTYPE to the HTML output and check for validity. Hand-written HTML in list configs. might break validity; IMHO that shouldn't be our problem to fix. We might choose HTML 4.01 validity to avoid imposing XHTML correctness on such hand-written text.
For pages that are "generated" rather than hand-edited, I propose we use this doctype as of 2.2:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
with the 4.01 strict being fallback for non-validating hand-edited pages.
If the MM developers are OK with taking out the WEB_*_COLOR config settings, remove them with no concern for compatibility.
Install a static mailman.css file.
+1
~ethan
Ethan Fremen wrote:
For pages that are "generated" rather than hand-edited, I propose we use this doctype as of 2.2:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
And with 3.0 I would like to see the following:
All pages served as xhtml strict with Content-type: application/xhtml+xml . This is "problematic" in that you lose document.write() in javascript but beneficial in that you actually get an infoset (meaning you can mix, eg, MathML and XHTML or XHTML and SVG.) (Maybe with a little helper function that checks included JS for deprecated member access.)
All through-the-web editing using some wysiwyg editor like Kupu, with fallback plain-text editing and handholding well-formedness checks.
Serve non ttw pages via webdav with "source port" or "source path" if necessary.
Deprecate CSS_FILES & JS_FILES in favor of whatever our dynamic templates say.
Now that I think about it, I think I would prefer having a HEAD_HTML variable that is a string or one-line-per-list-element variable in 2.2 that had the <link> and <style> elements written out in order to make deprecation easier, and to support all the spiffy oddness one might want to put in the head element.
~ethan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On May 6, 2007, at 5:00 AM, Stephen J. Turnbull wrote:
Going to CSS at all is presumably off-limits for a 2.1 release. I think it would be a very bad idea to constrain the design to be backwards compatible to a non-CSS solution, but not doing so is unfair to people who expect a 2.1 release to be a 2.1 release.
Agreed.
Andrew, when you created the modernize_21_webui branch, did you set
it up with svnmerge? I think it would be a good idea to
systematically merge 2.1 branch changes into the modernize branch.
-1. This is precisely the kind of thing we need to avoid at all costs. You aren't going to decrease the pain of deprecating colors- in-mm_cfg.py by postponing it, so may as well release CSS-only as 2.2 as soon as CSS is ready for release (and have at least one more 2.1 release for those who aren't ready to go to 2.2).
Agreed. There will definitely be a 2.1.10 (Mark just committed a
bunch of fixes), but I'm with Guido in hating two-digit point release
numbers.
In the transition, I think that we should definitely use the cascade. The multiple class method that Ethan describes is a good way to provide a deprecation path over time as the code matures, although I wonder if it's even necessary. In a different dimension, we probably should have a mailman.css analogous to Defaults.py. Site and list admins never touch this. Then there would be a site.css, analogous to mm_cfg.py, and finally a $list.css for each list, in order of increasing preference. For the sake of virtual hosts, site.css should either be kept in a site-specific folder, or given a site-specific name.
Would you make $list.css editable by the list admin, a la
listinfo.html? Does doing so open any additional security
vulnerabilities?
As Ethan points out, these should be "real" files, not inline CSS in the HEAD element generated by the cgi. It should be possible to generate simple site and list stylesheets (eg, changing colors) for the default templates through-the-web, but designers will want to deal with CSS, not Python code. Note that with a little care, the same module that does the t-t-w CSS generation could probably accept an mm_cfg.py and (a) use the variables defined in mm_cfg.py to generate site.css and (b) remove them (warning loudly that setting them in the future will have no effect).
I don't like being able to upload mm_cfg.py ttw, even if it's just to
suck a few ui variables out of it. If we're going to allow ttw
updating to the css, let's just do that directly instead of going
through Python code.
Finally, we could have a check_config script analogous to check_perms, but it would examine mm_cfg.py and the list configs, looking for variables that are deprecated and variables that Mailman doesn't even use, odd values and stuff like that.
+1
- -Barry
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin)
iQCVAwUBRkCMmHEjvBPtnXfVAQIhigP/b837+mCQMIBsmS99dRDSrpeUCsDPTbL3 XlsZYiKBQVu8Xn4EFy0cklu4O/T51zoKHPJmnmVEXhcDLoMsAXlQf6wzOzekOO/P OJZZi8VPMRTpEteHz34Sx3/4XZF53Xioqoqwn+mxtayA4cykaYjq4+yUOODup9FN DY7SEKP1xzY= =/F99 -----END PGP SIGNATURE-----
Barry Warsaw writes:
Would you make $list.css editable by the list admin, a la
listinfo.html? Does doing so open any additional security
vulnerabilities?
Yes to editable, I don't know to security vulnerabilities. View the CSS Zen Garden (better yet, get the book), and know fear. What those people manage to do without ever changing a tag is amazing!
Since CSS is intended to be purely presentational, the two threats I can see are hiding evil that they sneak in some other way, and "social engineering" via misdirection. Eg, I can image some mischief where you swap the labels of the "Cancel" and "Submit" buttons via CSS.
with CSS, not Python code. Note that with a little care, the same module that does the t-t-w CSS generation could probably accept an mm_cfg.py and (a) use the variables defined in mm_cfg.py to generate site.css and (b) remove them (warning loudly that setting them in the future will have no effect).
I don't like being able to upload mm_cfg.py ttw, even if it's just to
suck a few ui variables out of it. If we're going to allow ttw
updating to the css, let's just do that directly instead of going
through Python code.
Sorry, my wording was *very* imprecise. What I had in mind was that the ttw CSS generating <FORM> in HTML will give you KEY=VALUE pairs, which is what mm_cfg.py is. So the logic for generating CSS would be the same. The UIs would be completely separate. ttw would go via one or more HTML forms. The "import mm_cfg" inteface would only be available via the shell, that would not be available ttw.
On Tue, May 08, 2007 at 10:43:36AM -0400, Barry Warsaw wrote:
Andrew, when you created the modernize_21_webui branch, did you set
it up with svnmerge? I think it would be a good idea to
systematically merge 2.1 branch changes into the modernize branch.
No svnmerge initialization, but I can certainly do so. If we need to rebranch, depending on what course of action is decided for 2.1 (if anything) and 2.2.
--amk
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On May 5, 2007, at 11:24 AM, Terri Oda wrote:
Have the CSS generated by a CGI (which could then use these variables if they're available).
- extra processing for each web request
- could lay groundwork to make it possible to change settings on a per-list (or per virt-domain) basis rather than site-wide.
Use a Makefile to generate the CSS once from this file (and leave note in file saying that further config is in CSS)
- processing happens once
- can't be applied easily as a patch, requires an actual rebuild to take effect
Use a "style" attribute as well as a "class" one:
- might make conversion from one type of settings to another easier
- just going to look inexplicable and hackish later, potentially make it more awkward to do CSS-only skins
Mailman trunk already has a wsgi based server of its own. It's my
intention to deploy it without the (traditional) cgi scripts. By
default Mailman would simply provide its own simple web server, but
be compatible with wsgi for alternative publishing options.
- -Barry
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin)
iQCVAwUBRkCASnEjvBPtnXfVAQLhXwQAk1iamo4BCATpDX0nSO1fdayzPO8pif1G dYXhy+Pmea0g5/QPrUK8Yk4lcrwCZX7Tf/ggmV2g02jVdGwD+t/ST1nz/mjwa/ws w4RM99BaR+cXRiJshUJ7DoHs//5ihC7wPKiH/mcCnhJMfhJR5kWqkpqNLpQkAcXx g12dn0NBbbE= =4XyB -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On May 3, 2007, at 9:03 PM, A.M. Kuchling wrote:
It presents one big compatibility issue that will probably need to be fixed. The patch removes the colour settings (WEB_HEADER_COLOR, WEB_ERROR_COLOR, WEB_ADMINITEM_COLOR, etc.) and replaces them with CSS class declarations.
If we call the version that gets released with the new u/i "Mailman
2.2" then I don't have a problem breaking this. I don't think we can
reasonably release this stuff as "Mailman 2.1" either way.
[Aside: are there many patches in the tracker that could be useful? I don't know how actively they've been getting processed. Does there need to be a push to process bugs and patches?]
I know Mark often does triage and commits fixes, but the tracker
could certainly use a lot of love.
- -Barry
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin)
iQCVAwUBRkB/anEjvBPtnXfVAQJqLwP/SFmDBY+BapGRQR9EgWdmhic3Ka61EXup lS90vXglmW3kEbT/clm/9xkv9y179fQIT077OLGHGDPx18JWnIc2sPP+o8Hwb1wR KF+WAQKZUCSbAi5kD6LxBQIHcFjOMyQRIaoXK913CrVRGHKDqYpq2ALZHx3KkhGL jrhpDt37+Ao= =8cQj -----END PGP SIGNATURE-----
A.M. Kuchling wrote:
Patch #1415956 from Bryan Carbonnell adds CSS for styling purposes and changes the HTML to be valid XHTML1.0. It still needs some tidying up, and it still uses tables for layout, but that patch takes us halfway there.
I'm getting round to reading these mails rather late, but I wonder does anyone have a set of XHTML-compliant HTML templates which will work with 2.1.9?
I did have a look at this patch but it requires changes to the Mailman source in a build directory before installing and for my "production" system I'd rather keep using the Ubuntu packaged version.
It's great to see so much movement on getting the Web templates sorted out - all our Web output gets preprocessed by an XML parser to add on headers and footers and to try and force some XHTML compliance, so having templates which don't screw up on the way out of the server will be fantastic :)
Now to catch up on the rest of this thread...
Cheers, Andy
-- Andy Buckley: CEDAR @ IPPP, Durham Work: www.cedar.ac.uk www.insectnation.org
participants (10)
-
A.M. Kuchling -
Aaron Crosman -
Andy Buckley -
Barry Warsaw -
Bob Puff -
Ethan Fremen -
Fil -
Mads Kiilerich -
Stephen J. Turnbull -
Terri Oda