Page MenuHomePhabricator
Create Task
Maniphest T6583

Allow video embed and custom html in dashboard markup
Closed, WontfixPublic
Actions

Description

It seems impossible to add custom html to a dashboard panel

How did they do it ? :-)

Related Objects

Event Timeline

philippe.jadin created this task.Nov 18 2014, 4:12 PM
philippe.jadin raised the priority of this task from to Wishlist.
philippe.jadin updated the task description. (Show Details)
philippe.jadin added projects: Remarkup, Dashboards.
philippe.jadin added a subscriber: philippe.jadin.
chad added a subscriber: chad.Nov 18 2014, 4:20 PM

They maintain a heavily modified fork.

philippe.jadin added a comment.Nov 18 2014, 4:25 PM

We sure don't want to do that. Would either allow html in remarkup or create a new html panel type be something you'd consider?

epriestley closed this task as Wontfix.Nov 18 2014, 4:28 PM
epriestley claimed this task.

We will never support an HTML panel type in the upstream. It can not be made secure.

Even restricting it to administrators would allow them (or attackers who compromise administrator accounts) to launch attacks that would greatly expand the scope of their power: they could use XSS + CSRF to act as other users. They are not normally permitted to do this:

https://secure.phabricator.com/book/phabricator/article/users/#administrators

You can create a custom panel type locally by subclassing PhabricatorDashboardPanelType and putting your subclass in phabricator/src/extensions/. We can't help you with this, though.

epriestley mentioned this in T6650: New application with and "external application panel".Nov 26 2014, 12:30 PM
stevex added a subscriber: stevex.Nov 27 2014, 5:13 PM

If someone will be able to get administrator rights I think there will be a lot of "holes" to get in other than an HTML panel, and a lot more damage possible than just impersonating a user.

Sure the less the betterm but without opening in some way the official phabricator to integrate other pieces inside there are just 2 possibilities:

  1. maintaining a fork
  2. put phabricator in in some way in another bigger container (portal)

Both of them I think are not good (or anyway worst) options..

epriestley added a comment.Nov 27 2014, 5:31 PM

Yes, those are your options. We will never support this in the upstream.

stevex added a comment.EditedNov 28 2014, 7:57 AM

Can you please articulate other options in order to integrate Phabricator with other tools (apart from rewriting everything inside it) in order to give the user something like a portal (as it appears phabricator itself to be designed to)?
I'm genuinly interested in them

chad added projects: Conduit, Doorkeeper.Nov 28 2014, 4:28 PM

Depends entirely what "Other Tools" means. Conduit and Doorkeeper will be built in means of talking to external systems. Remarkup can certainly be expanding to offer more flexibility in writing content into Phabricator. Custom Fields and Event Listeners also allow for customization. Forking and maintaining patches are also what we recommend to people who need heavy integration/customization.

https://secure.phabricator.com/book/phabcontrib/article/feature_requests/ covers what things we look for when building new features into Phabricator.

T4778 covers a bit on what things we can prioritize.

Phabricator · Built by Phacility