Drupal Ramblings

Why is "Full HTML" Input Format Dangerous?

This is a comment I submitted on my localhost site, with full HTML allowed for anonymous users. The fact that "XSS" came up in an alert means I'm vulnerable to attack.

If you want your skin to crawl more, visit the XSS Cheatsheet, which offers a number of techniques for XSS attacks. If you're ever in doubt, no better test than to attempt to hack yourself.

YUI Editor: A Simple, Beautiful, and Easy Drupal WYSIWYG editor

Reviewed Version: yui_editor-6.x-2.0
Depends on: Yahoo YUI

VERDICT: Outstanding! The only lovable Drupal WYSIWYG editor . Painless Installation, Great First Impressions, Easy to configure, image Uploading/insertion works out of the box, editor behavior solid and intuitive, and offers good security features.

In our last review of WYSIWYG editors, a certain editor won because it met my low expectations. Thanks to the tip from Sanjeev, I found an editor so good its off the charts.

Painless Installation, Great First Impressions

The moment after I installed YUI Editor I found this refreshing WYSIWYG smiling at me.

makes you want to write

Smashing Magazine Gives a Nod to Drupal

If I could read only one web design blog in the world, it would be smashing magazine. At one time, (maybe 2004-2005ish), I would have picked A List Apart.

Defining "drupalism"

I seem to use the word “drupalism” in a pejorative way. Usually, to to describe anything that follows one of these drupaly anti-patterns:

Notes on the Drupal Usability Report

Indeed, this is a great usability report.

I scribbled these notes as I read it:

  • Statuses (such as "publish", "unpublish", "promote to frontpage") should not use checkboxes -- they should use BUTTONS. Clicking a button helps ensure that a user understands the gravity of their actions -- which is extremely important. These buttons should show a certain amount of intelligence. "Unpublish" or "Save Changes" for live content. "Publish" or "Save as Draft" for new content, and "Publish", "Save Changes" for unpublished content... etc...
  • "Promote to frontpage" is a checkbox that wants to read "Show on frontpage". It's a checkbox, because its an attribute that piece of content can have -- not necessarily an action the user makes on a piece of content. Above all it is of lesser importance than the buttons listed in the previous note -- forgetting to promote a piece of content to the front page will probably be a lot less embarrassing than what could appen if someone accidently publishes a less-than-ready draft. Especially when our interface merely reads "save" -- which is deceptively safe looking.
  • The "story" content type needs to either die, or be renamed "article".
  • "Book pages" should become simply "pages" with pages as we previously understood them thrown away. The behavior that I think users expect from "pages" is what the book module does best. The book metaphor isn't extended that much -- "child", and "parent" are the main terms used in the interface -- not "chapter" and "page" like you'd expect in a book.
  • Settings like front page path are deep enough in drupal admin hell, that a quick fix may have to be a special help box that appears in certain circumstances. Messages would read something along the lines of "Your frontpage is currently set to "/blog". [link] Where can I change this?" These boxes could serve as bandaids for some of our more complex usability problems that aren't going to be solved in a single release.
  • admin/content is important enough to have its own unique section dedicated to content management, and content management only. Site settings, user management, and content management are three very different things afterall. I believe they deserve their own individual sections outside of our behemoth misadministration console.
  • Yes most users really do expect a wysiwg editor of sorts. I speak of our userbase -- e.g. people who'll never visit drupal.org, or would ever need to know what kind of CMS is running a website. At bare minimum, it should let users add links, images, lists, and blockquotes. A message should instruct users that "[return] = paragraph/ [shift-return] = linebreak. TinyMCE is evil because of the number of options it provides.
  • Permissions themselves should be split out perhaps. There is quite a big difference between content related, admin related, and user related permissions. Perhaps splitting these permissions out into more intuitive locations (e.g. content permissions are found in content type settings) and offerring overview pages of what various users can do with various site components would help alleviate this problem.
  • There should be a region, and navagition devoted to admin tasks. I think it belongs at the very top of the page (but is not so high that it takes up too much room). Its separated from the main theme, and is design is always consistant no matter the theme currently being used.
  • The top admin bar, and admin page (as well as perhaps the content creation pages) can be modified, but not quite as readily as a "theme" as we know it. This roadblock frees up theme developers (ESPECIALLY NON DRUPAL EXPERT ONES) to focus on how sites look to their visitors -- they shouldn't nomrally need to worry about how the sites look to their admins/content managers as well. That should really be the the association of drupal ninja's concern.

Overall -- drupal's flexibility and configurability seems to be a curse to our users. The out of the box drupal should aim to offer a few good approaches to common needs that people are trying to satisfy with their website. Like an object, the more that we encapsulate these distinct needs and settings the better. Perhaps we lose "flexibility" -- but if I wanted pure flexibility, I'd write things from scratch, no?

7 Types of Development Articles that Set Kittens on Fire

Everyday, I attempt to read 20 or 30 web development articles, usually via dzone, del.icio.us, and the drupal planet. Its a perverse and masochistic ritual. The articles I scan leave me with a dreadful sense of emptiness -- and a longing for a different career. On the otherhand, it tends to make my development work seem exciting by contrast.

Drupal Tough Love

BillMeanGuy copy Drupal Tough Love is a new site by The Notorious C.H.X. , and Morbus Iff. Want to become a better drupal developer? Get ready for some tough love:

"We all make mistakes; that's how we learn. Sometimes, though, we need someone to point out our mistakes...

And if you don't learn, than Curly on the left will show you some really tough love.

Drupal Tough Love: I'll be watching you like a hawk.

Top 5 Reasons Developers Don't Use Drupal

Jeff Whatcott ponders why Drupal isn't dominating the job postings for social app PHP developers.  He guesses the main problem is lack of awareness and understanding of drupal among the greater developer community. With this line of thinking, the obvious fix would be outreach and education. Personally, I'm skeptical that the developers who choose systems other than drupal do so because of lack knowledge, or awareness. I think its something far less rational

The Keyboard: Perhaps this Contraption Might be of Use to Drupal

Imagine this: you are viewing a node, and hit alt-e. That keystroke brings up a node edit form. Or instead of dragging blocks, taxonomy terms, and menu items, you merely hit the "down" key. I wonder, may this strange device called a "keyboard" be of use to us? Well, regardless, there's a freestanding jquery plugin that's done most of the work already. The question is: are the Drupalites FOR or AGAINST the keyboard?*

See Mike Hostetler's keynav plugin for jQuery

Stupid Simple Web Scraping with SimpleXML


The other day, I was tasked with building a data scraper. Having never built such a contraption, I naturally turned to the Internets for preexisting code. I was horrified with what I found.

The “free” PHP scripts (that’s “free” as in “free baby vomit”) were all infested with the worst sorts of newfangled regex, and PHP 4 era DOM traversing.


Subscribe to RSS - Drupal Ramblings