We should consider to drop support for openWysiwyg in 7.x.

The project seems to be dead and had no new releases for a long time already. Originally, I only added the editor, because integration looked simple, and, to continue the fight against stand-alone editor integration modules like http://drupal.org/project/openwysiwyg.

Visually, it doesn't look too bad, but it's code and technical design is very poor.

Today, I doubt that anyone is really using it, so it adds nothing but maintenance burden.

Comments

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented
Component: Code » Editor - OpenWYSIWYG
Fannon’s picture

Fannon CreditAttribution: Fannon commented

+1

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented
Status: Active » Closed (won't fix)

Now that we fixed it, we can as well keep it a little longer.

Chi’s picture

Chi CreditAttribution: Chi commented
Status: Closed (won't fix) » Active

openWYSIWYG site doesn't work
http://www.openwebware.com

ASMBL’s picture

ASMBL CreditAttribution: ASMBL commented

Looks like the project is still supported but has moved:
http://www.dynamicdrive.com/dynamicindex16/openwysiwyg/index.htm

Is it really that poorly coded?

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented

That site looks like a pure download site only. I don't see source code or anything else there. In fact, all the links are pointing to openwebware, which no longer exists.

Furthermore, the download package has a release date of 2006 - which is pretty much identical to the most recent release of openwysiwyg on the original download page (which no longer exists).

So yeah, time to delete it.

TwoD’s picture

TwoD
Primary language Swedish
Location Sweden
CreditAttribution: TwoD commented

http://www.openwebware.com works for me. The latest version available there is 1.4.7. The last dated release (1.4.6) was on 2006-12-17, but 1.7.4 appears to have been released in September 2007 according to the date the changelog was last updated.

Seems pretty dead to me. It's not like we can't add it again if it is revived...

mentalworks’s picture

mentalworks CreditAttribution: mentalworks commented
Issue summary: View changes

Hi,

The openwysiwyg library is vulnerable to Local File Injection: You can access to the image upload pop up directly as anonymous user (simply accessing the /sites/all/libraries/openwysiwyg/addons/imagelibrary/insert_image.php file).

You can then upload malicious images files containing PHP code as any uploaded file security check seems to be only an extension verification. So a exploit.php.jpg file will be successfuly uploaded by an anonymous user.

One of ourDrupal sites in production was hacked this way (although I cannot figure how they have executed the uploaded file).

In addition to this, the file upload pop up can list all files on the server with the 'dir' GET parameter. You can list any folder content with a ?dir=../../../../var/www for example.

It seems very important to drop the openwysiwyg support urgently as its totally crap.

I'm an open source enthusiast, so when trying an alternative to CKEditor, I came to openwysiwyg as with its name it smell opensource, but, please, don't allow other users to fall in this trap.

Cheers

Chi’s picture

Chi CreditAttribution: Chi commented
Issue tags: +Security

  • TwoD committed a1d638d on 7.x-2.x 
    - #970892 by TwoD: Dropped openWYSIWYG support.

  • TwoD committed 86c24ef on 6.x-2.x 
    - #970892 by TwoD: Dropped openWYSIWYG support.
TwoD’s picture

TwoD
Primary language Swedish
Location Sweden
CreditAttribution: TwoD at Websystem commented
Status: Active » Fixed

Should have done this long ago. The editor completely breaks in most modern browsers and the hacks needed to support it are costing too much.
The next release will not have openWYSIWYG support and no further efforts will be made to maintain it by me.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.