Type question dialog allows arbitrary html

[mbentley00]

I thought I already opened a bug on this, but I can't find it. The type questions dialog allows you to type arbitrary html that will then get displayed. We should only allow bold, italics and underline.

[mbentley00]

I think we might want to do something like sanitize the html, then manually add back the bold/italic/underline tags so that we don't lose that information.

[Theta91]

Can you just parse & disallow any HTML in the dialog? You never want people submitting HTML tags -- only underscores.

[mbentley00]

No, we want italics as well On Nov 18, 2014 8:07 AM, "Theta91" notifications@github.com wrote:

Can you just parse & disallow any HTML in the dialog? You never want people submitting HTML tags -- only underscores.

— Reply to this email directly or view it on GitHub https://github.com/grapesmoker/qems2/issues/72#issuecomment-63494882.

[Theta91]

Ah....good point. Can't one only allow italics tags or devise a complementary system (i.e. * x * is italics and required is required part of answer for both body text and answerline text)? Would like to get someone like Matt W's thoughts on this as italics tags are normally a small PITA.

[grapesmoker]

We can only allow italics tags, sure. Can we decide what we want to allow? If we do that, the filters already exist at the server level and I can just filter out the offending HTML with a whitelist.

[mbentley00]

I say italics, bold and underline. On Nov 20, 2014 1:09 PM, "Jerry Vinokurov" notifications@github.com wrote:

We can only allow italics tags, sure. Can we decide what we want to allow? If we do that, the filters already exist at the server level and I can just filter out the offending HTML with a whitelist.

— Reply to this email directly or view it on GitHub https://github.com/grapesmoker/qems2/issues/72#issuecomment-63880161.

[Theta91]

Bold & underline definitely shouldn't be allowed -- the whole point of underscores denoting required answers/prompts is that it can be adjusted at-will when you generate packets, if needed. 99% of the time, this will be bold & underline, sure -- but instead of having to type a bunch of bold & underline tags to denote required stuff, it's a single character, and you can't make mistakes closing a tag. Those are also the reasons we should eliminate italics in favor of an un-used single character replacement.

[mbentley00]

You can just as easily forget to unclose an underscore.

I'm sympathetic to using underscores for type question entry--we already support that. I'm fine having something similar for italics as well, although I'm not sure what a good character would be that doesn't regularly appear in tossups. A repeated character like @@ would probably work.

If we want to store these behind the scenes as still containing underscores rather than tags and just change how they're rendered I suppose that would work.

On Thu, Nov 20, 2014 at 1:38 PM, Theta91 notifications@github.com wrote:

Bold & underline definitely shouldn't be allowed -- the whole point of underscores denoting required answers/prompts is that it can be adjusted at-will when you generate packets, if needed. 99% of the time, this will be bold & underline, sure -- but instead of having to type a bunch of bold & underline tags to denote required stuff, it's a single character, and you can't make mistakes closing a tag. Those are also the reasons we should eliminate italics in favor of an un-used single character replacement.

— Reply to this email directly or view it on GitHub https://github.com/grapesmoker/qems2/issues/72#issuecomment-63884562.

[mweiner1]

I do not see any legitimate use for manual bold or underline tags (we have never used them for anything in HSAPQ), though there isn't huge harm in supporting them if some non-HSAPQ tournament wants them. We definitely need required answers to use the underscore system and be formatted by the packet parser later.

As far as italics go, I'd be interested in trying a system where we use tildes or whatever instead of the NAQT-style tags. I would also like these features that improve on QEMS1:

1) Italics tags are always interpreted as breaking at the end of a question or answer and do not cause subsequent lines in the packet to be italicized if the closing tag is forgotten. 2) The superpower and power symbols are automatically un-italicized by whatever routine takes care of formatting power zones, so that they can be placed within an italicized title if desired without having to manually end and restart the italics. 3) Auto-flagging of things like "you have an odd number of italic tags in this question" in a future smart online writer.

[grapesmoker]

So, we're talking ~ for italics and _ for required, then?

[mbentley00]

I dislike ~ as there are some cases where you could legitimately include that in a question. I'd prefer something like this is italicized.

On Thu, Nov 20, 2014 at 1:53 PM, Jerry Vinokurov notifications@github.com wrote:

So, we're talking ~ for italics and _ for required, then?

— Reply to this email directly or view it on GitHub https://github.com/grapesmoker/qems2/issues/72#issuecomment-63886974.

[mweiner1]

I can't conceive of when you would use a standalone tilde in a quizbowl question and I've never seen this issue come up in the other major question management system, which has always used tildes for italics. Can you give an example?

[Theta91]

Oh, people have forgotten to close underscores -- but it's never been nearly the problem that HTML tags represent (due to tags requiring more characters and the forward slash to close). Forcing a single character system for italics (everywhere) and required answerline makes everyone's job (writer, editor, code monkey) a little easier and means you can strip all HTML.

[mbentley00]

It's pretty much impossible to search for this. I suppose I'm fine saying that the 99% case is that you wouldn't use a tilde and so let's make it easier for default use cases even if that means sacrificing this corner case.

On Thu, Nov 20, 2014 at 2:10 PM, mweiner1 notifications@github.com wrote:

I can't conceive of when you would use a standalone tilde in a quizbowl question and I've never seen this issue come up in the other major question management system, which has always used tildes for italics. Can you give an example?

— Reply to this email directly or view it on GitHub https://github.com/grapesmoker/qems2/issues/72#issuecomment-63889426.

[mbentley00]

A related question is what the edit_tossup and edit_bonus screens should look like. Currently they use the same rich textboxes that add_tossup and add_bonus do, which allows you to bold/underline in a what you see is what you get fashion. Should we go with the QEMS1 approach and have all adding/editing be in plain text and include an HTML version of what the question looks like after you've submitted the changes?

[grapesmoker]

That would seem to be the thing to do. If we don't need to let people mark up questions directly in HTML then there's no point in having those rich text boxes. I can take them out tomorrow easily enough. On Nov 20, 2014 10:13 PM, "mbentley00" notifications@github.com wrote:

A related question is what the edit_tossup and edit_bonus screens should look like. Currently they use the same rich textboxes that add_tossup and add_bonus do, which allows you to bold/underline in a what you see is what you get fashion. Should we go with the QEMS1 approach and have all adding/editing be in plain text and include an HTML version of what the question looks like after you've submitted the changes?

— Reply to this email directly or view it on GitHub https://github.com/grapesmoker/qems2/issues/72#issuecomment-63918856.

[Theta91]

That is exactly, 100% what should be done, Mike.