We should consider to drop support for openWysiwyg in 7.x.
The project seems to be dead and had no new releases for a long time already. Originally, I only added the editor, because integration looked simple, and, to continue the fight against stand-alone editor integration modules like http://drupal.org/project/openwysiwyg.
Visually, it doesn't look too bad, but it's code and technical design is very poor.
Today, I doubt that anyone is really using it, so it adds nothing but maintenance burden.
Comments
Comment #1
sunComment #2
Fannon CreditAttribution: Fannon commented+1
Comment #3
sunNow that we fixed it, we can as well keep it a little longer.
Comment #4
Chi CreditAttribution: Chi commentedopenWYSIWYG site doesn't work
http://www.openwebware.com
Comment #5
ASMBL CreditAttribution: ASMBL commentedLooks like the project is still supported but has moved:
http://www.dynamicdrive.com/dynamicindex16/openwysiwyg/index.htm
Is it really that poorly coded?
Comment #6
sunThat site looks like a pure download site only. I don't see source code or anything else there. In fact, all the links are pointing to openwebware, which no longer exists.
Furthermore, the download package has a release date of 2006 - which is pretty much identical to the most recent release of openwysiwyg on the original download page (which no longer exists).
So yeah, time to delete it.
Comment #7
TwoDhttp://www.openwebware.com works for me. The latest version available there is 1.4.7. The last dated release (1.4.6) was on 2006-12-17, but 1.7.4 appears to have been released in September 2007 according to the date the changelog was last updated.
Seems pretty dead to me. It's not like we can't add it again if it is revived...
Comment #8
mentalworks CreditAttribution: mentalworks commentedHi,
The openwysiwyg library is vulnerable to Local File Injection: You can access to the image upload pop up directly as anonymous user (simply accessing the /sites/all/libraries/openwysiwyg/addons/imagelibrary/insert_image.php file).
You can then upload malicious images files containing PHP code as any uploaded file security check seems to be only an extension verification. So a exploit.php.jpg file will be successfuly uploaded by an anonymous user.
One of ourDrupal sites in production was hacked this way (although I cannot figure how they have executed the uploaded file).
In addition to this, the file upload pop up can list all files on the server with the 'dir' GET parameter. You can list any folder content with a ?dir=../../../../var/www for example.
It seems very important to drop the openwysiwyg support urgently as its totally crap.
I'm an open source enthusiast, so when trying an alternative to CKEditor, I came to openwysiwyg as with its name it smell opensource, but, please, don't allow other users to fall in this trap.
Cheers
Comment #9
Chi CreditAttribution: Chi commentedComment #12
TwoDShould have done this long ago. The editor completely breaks in most modern browsers and the hacks needed to support it are costing too much.
The next release will not have openWYSIWYG support and no further efforts will be made to maintain it by me.