• This is less of a request and more of an effort to reopen discussion on an interesting idea that sort of wound up forgotten for various reasons that I won't go into here.

    In the early days of planning this forum, @rob advocated for incorporating Codepens into the forum. (Archive link:{"topic_id"%3A734} ) He argued that it would be useful for users to be able to copy example elections that forum users came up with into codepens so that they can figure out what is going on in the example without having to do a lot of computations by hand. This seems like quite a good thing!

    However, allowing users to embed codepen plugins into their posts seems like a possible security concern. Obviously it's unsafe to let people run arbitrary javascript on the site, even if the codepens require user permission before they can run. I don't know much about javascript or codepens so there may well be some obvious detail I'm missing.

    What could safely be done with codepens on the site?

  • @Marylander Codepens aren't running arbitrary JS on the actual site, they are running it in an iframe that is embedded into the site and can't communicate with the JS runtime within the site.

    If they allowed people to, for instance, steal your login credentials (e.g.. read your document.cookie and then post it to a random URL), Codepen would have never even considered making them run embedded in forums. I can assure you they carefully considered the security implications and architected it in a way that prevents such things..

  • So, using the iframe technique, the burden of learning enough about NodeBB to be able to build a plugin to allow them to be embedded in posts could be relatively light.

    Whoever wants to give it a try should send me their public key for SSH.

  • @Jack-Waugh Nobody needs to build a plug in, it already exists. You just need to install it.

  • @rob

    theory@votingtheory:~/nodebb$ npm install nodebb-plugin-codepen
    > husky@4.2.5 install /home/theory/nodebb/node_modules/husky
    > node husky install
    husky > Setting up git hooks
    husky > Done
    > core-js@2.6.12 postinstall /home/theory/nodebb/node_modules/core-js
    > node -e "try{require('./postinstall')}catch(e){}"
    Thank you for using core-js ( ) for polyfilling JavaScript standard library!
    The project needs your help! Please consider supporting of core-js on Open Collective or Patreon: 
    Also, the author of core-js ( ) is looking for a good job -)
    > nodemailer@6.4.5 postinstall /home/theory/nodebb/node_modules/smtp-server/node_modules/nodemailer
    > node -e "try{require('./postinstall')}catch(e){}"
    === Nodemailer 6.4.5 ===
    Thank you for using Nodemailer for your email sending needs! While Nodemailer
    itself is mostly meant to be a SMTP client there are other related projects in
    the Nodemailer project as well.
    For example:
    > IMAP API (  ) is a server application to easily access
    IMAP accounts via REST API
    > NodemailerApp (  ) is a cross platform GUI app to
    debug emails
    > husky@4.2.5 postinstall /home/theory/nodebb/node_modules/husky
    > opencollective-postinstall || exit 0
    Thank you for using husky!
    If you rely on this package, please consider supporting our open collective:
    npm WARN nodebb-plugin-emoji-android@2.0.0 requires a peer of nodebb-plugin-emoji@^2.0.0 but none is installed. You must install peer dependencies yourself.
    npm WARN textcomplete.contenteditable@0.1.1 requires a peer of textcomplete@^0.14.2 but none is installed. You must install peer dependencies yourself.
    npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.1.3 (node_modules/fsevents):
    npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.1.3: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
    + nodebb-plugin-codepen@0.2.0
    added 650 packages from 338 contributors and audited 1363 packages in 37.461s
    77 packages are looking for funding
      run `npm fund` for details
    found 118 vulnerabilities (11 low, 20 moderate, 83 high, 4 critical)
      run `npm audit fix` to fix them, or `npm audit` for details

  • @Jack-Waugh
    So it is installed? Do I just do this?

    (apparently not.... are you sure it is running?)

  • @rob, the admin page that lists the plugins says it is activated. However, when I did the "npm install" (prior), I received several warnings. I posted those. I don't know whether any of those are keeping it from working.

    Maybe I should take the latest NodeBB.

Log in to reply