User talk:Enterprisey/script-installer

Here's my common.js right now.

importScript( 'User:Enterprisey/script-installer.js' ); // Backlink: User:Enterprisey/script-installer.js
importScript('User:Enterprisey/easy-brfa.js'); // Backlink: User:Enterprisey/easy-brfa.js
importScript('User:Enterprisey/cv-revdel.js'); // Backlink: User:Enterprisey/cv-revdel.js
importScript('User:Enterprisey/reply-link.js'); // Backlink: User:Enterprisey/reply-link.js
importScript('User:Enterprisey/talk-tab-count.js'); // Backlink: User:Enterprisey/talk-tab-count.js
importScript('User:Enterprisey/user-tabs-on-contribs.js'); // Backlink: User:Enterprisey/user-tabs-on-contribs.js

Does that bug you? It bugs me. Would it be possible to change script-installer to match {{subst:iusc}}'s output? (For that matter, is there a reason it doesn't just generate that subst in the first place? DRY and all that.) Gaelan 💬✏️ 09:39, 24 February 2019 (UTC)[reply]

Gaelan, is this still an issue? I checked your common.js and my common.js and couldn't see what you're talking about - I'm probably not understanding your comment. Enterprisey (talk!) 06:28, 13 October 2019 (UTC)[reply]

Oh, spacing inside the parentheses. Huh. Yeah, the subst would be fine. I don't feel very strongly about this. I guess I'll consider adding spaces. Enterprisey (talk!) 04:19, 26 January 2021 (UTC)[reply]

As of 2024, the gadget is not putting spaces inside parentheses. Judging from the lack of comments on this page, I don't think most users mind. Probably should leave as is. –Novem Linguae (talk) 17:48, 7 May 2024 (UTC)[reply]

@Enterprisey: It would be neat if this script was extended to allow installing scripts on global.js, too. ~★ nmaia ^d 01:05, 15 September 2020 (UTC)[reply]

Status: I have no plans to work on this, but would be happy to mentor someone if they wanted to work on it themselves. Enterprisey (talk!) 23:53, 13 August 2021 (UTC)[reply]

With checkboxes. Enterprisey (talk!) 04:10, 26 January 2021 (UTC)[reply]

That'd be great! — 𝐆𝐮𝐚𝐫𝐚𝐩𝐢𝐫𝐚𝐧𝐠𝐚 (talk) 23:41, 26 May 2021 (UTC)[reply]

Status: I have no plans to work on this, but would be happy to mentor someone if they wanted to work on it themselves. Enterprisey (talk!) 23:53, 13 August 2021 (UTC)[reply]

I don't think relying on IDs for getting script paths is a good idea as it results in invalid HTML if the same path appears more than once per page. Shouldn't it use a data-* attribute? Nardog (talk) 23:18, 8 April 2021 (UTC)[reply]

@Enterprisey: It would be helpful if you added a function allowing you to add scripts using scriptManager's syntax. ― Qwerfjkl | 𝕋𝔸𝕃𝕂  (please use {{reply to|Qwerfjkl}} on reply) 13:53, 23 May 2021 (UTC)[reply]

Agreed. — Guarapiranga (talk) 23:50, 26 May 2021 (UTC)[reply]

Status: I have no plans to work on this, but would be happy to mentor someone if they wanted to work on it themselves. Enterprisey (talk!) 23:53, 13 August 2021 (UTC)[reply]

This script still seems to be using {{Iusc}}, rather than {{Lusc}}, which I understand to be the preferred method. Enterprisey, would it be possible to update that? {{u|Sdkb}} ^talk 03:47, 23 November 2021 (UTC)[reply]

@Enterprisey: Any update on this? importScript() (which {{iusc}}) uses has been deprecated for a while now. See T95964 ―sportzpikachu _{my talkcontribs} 10:45, 10 December 2021 (UTC)[reply]

I plan to get to this at some point, but it's not urgent; there's still no good official replacement ("Gadgets 3.0" or whatever number they're on now). So it would just be for the slight performance benefit. Enterprisey (talk!) 04:42, 11 December 2021 (UTC)[reply]

Strong oppose. There was some misinformation going around a year or two ago that iusc was deprecated, but this had no basis in fact. See Template:Install user script#importScript() is not deprecated for more info. I strongly prefer iusc because it is much more readable. –Novem Linguae (talk) 17:52, 7 May 2024 (UTC)[reply]

I switched all my scripts to use {{Lusc}} in 2021 after I was told that it would significantly improve page loading speed, and at the time it seemed to do so. Is that no longer the case? Sdkb ^talk 18:06, 7 May 2024 (UTC)[reply]

Interesting. I haven't looked into the performance angle of this. –Novem Linguae (talk) 18:45, 7 May 2024 (UTC)[reply]

@Enterprisey: Now that phab:T300743 is fixed, I can list the other to-do items that I noticed while looking for XSS issues. These are all suggestions for future development that you can take or leave as you see fit.

• The gadget should check the content model of script pages before installing them, and only install ones with a content model of JavaScript. In theory, not checking this would allow an attacker to add JavaScript code to a wikitext page in a trusted user's userspace (which anyone can edit), and then trick the victim into installing the attacker's code while the victim believes it is written by the trusted user. In practice, this attack is stopped by MediaWiki setting the X-Content-Type-Options header to "nosniff", which prevents loading scripts from pages that don't have a MIME type of "text/javascript". This could be a problem in very old browsers though, so it would be worth fixing.
• Import.fromJs is broken for scripts with double or single quotes in them (e.g. User:Example/foo"bar.js). The script trims the first quote character and everything after it, which means it tries to install e.g. User:Example/foo instead. Fixing this would mean parsing the string with a JavaScript parser instead of with regex - unfortunately, I'm not aware of an easy way of doing that without installing third-party libraries, so this could be a lot of work.
• The cookie attributes of the open_script_installer need fixing. Firefox was giving the following warning in the console: Cookie “open_script_installer” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite.
• There are some missing translation strings: see the latter half of the diff of the Chinese translation to see where they are. They also use different pipe and bracket characters, so those might be worth including as well. The mw.Message class might be worth a look into for this.

Best — Mr. Stradivarius ^{♪ talk ♪} 13:33, 7 February 2022 (UTC)[reply]

@Enterprisey: i am unable to uninstall both autoFormatter & cleanDiff on common.js. can you please look into it. <_> jindam, vani (talk) 13:56, 27 December 2022 (UTC)[reply]

Links: meta:User:TMg/autoFormatter, de:Benutzer:TMg/cleanDiff.js. These are both non-English Wikipedia user scripts, which is probably why this gadget didn't work. –Novem Linguae (talk) 17:55, 7 May 2024 (UTC)[reply]

@Enterprisey Currently, the script claims that Wikipedia:AutoEd/complete.js is insecure, in spite of the full protection. Could support be added? Aaron Liu (talk) 16:56, 13 September 2023 (UTC)[reply]