Jump to content

User talk:Enterprisey/script-installer

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Feature request: generate code that matches {{subst:iusc}}

Here's my common.js right now.

importScript( 'User:Enterprisey/script-installer.js' ); // Backlink: User:Enterprisey/script-installer.js
importScript('User:Enterprisey/easy-brfa.js'); // Backlink: User:Enterprisey/easy-brfa.js
importScript('User:Enterprisey/cv-revdel.js'); // Backlink: User:Enterprisey/cv-revdel.js
importScript('User:Enterprisey/reply-link.js'); // Backlink: User:Enterprisey/reply-link.js
importScript('User:Enterprisey/talk-tab-count.js'); // Backlink: User:Enterprisey/talk-tab-count.js
importScript('User:Enterprisey/user-tabs-on-contribs.js'); // Backlink: User:Enterprisey/user-tabs-on-contribs.js

Does that bug you? It bugs me. Would it be possible to change script-installer to match {{subst:iusc}}'s output? (For that matter, is there a reason it doesn't just generate that subst in the first place? DRY and all that.) Gaelan 💬✏️ 09:39, 24 February 2019 (UTC)[reply]

Gaelan, is this still an issue? I checked your common.js and my common.js and couldn't see what you're talking about - I'm probably not understanding your comment. Enterprisey (talk!) 06:28, 13 October 2019 (UTC)[reply]
Oh, spacing inside the parentheses. Huh. Yeah, the subst would be fine. I don't feel very strongly about this. I guess I'll consider adding spaces. Enterprisey (talk!) 04:19, 26 January 2021 (UTC)[reply]
As of 2024, the gadget is not putting spaces inside parentheses. Judging from the lack of comments on this page, I don't think most users mind. Probably should leave as is. –Novem Linguae (talk) 17:48, 7 May 2024 (UTC)[reply]
Counter-proposal: Template talk:Install user script#Protected edit request on 15 June 2024. —⁠andrybak (talk) 20:58, 15 June 2024 (UTC)[reply]

Global

@Enterprisey: It would be neat if this script was extended to allow installing scripts on global.js, too. ~nmaia d 01:05, 15 September 2020 (UTC)[reply]

Status: I have no plans to work on this, but would be happy to mentor someone if they wanted to work on it themselves. Enterprisey (talk!) 23:53, 13 August 2021 (UTC)[reply]

TODO: Bulk deletion support

With checkboxes. Enterprisey (talk!) 04:10, 26 January 2021 (UTC)[reply]

👍 That'd be great! — 𝐆𝐮𝐚𝐫𝐚𝐩𝐢𝐫𝐚𝐧𝐠𝐚 (talk) 23:41, 26 May 2021 (UTC)[reply]
Status: I have no plans to work on this, but would be happy to mentor someone if they wanted to work on it themselves. Enterprisey (talk!) 23:53, 13 August 2021 (UTC)[reply]

id vs data-

I don't think relying on IDs for getting script paths is a good idea as it results in invalid HTML if the same path appears more than once per page. Shouldn't it use a data-* attribute? Nardog (talk) 23:18, 8 April 2021 (UTC)[reply]

scriptManager

@Enterprisey: It would be helpful if you added a function allowing you to add scripts using scriptManager's syntax. ― Qwerfjkl | 𝕋𝔸𝕃𝕂  (please use {{reply to|Qwerfjkl}} on reply) 13:53, 23 May 2021 (UTC)[reply]

Agreed. — Guarapiranga (talk) 23:50, 26 May 2021 (UTC)[reply]
Status: I have no plans to work on this, but would be happy to mentor someone if they wanted to work on it themselves. Enterprisey (talk!) 23:53, 13 August 2021 (UTC)[reply]

Lusc instead of iusc

This script still seems to be using {{Iusc}}, rather than {{Lusc}}, which I understand to be the preferred method. Enterprisey, would it be possible to update that? {{u|Sdkb}}talk 03:47, 23 November 2021 (UTC)[reply]

@Enterprisey: Any update on this? importScript() (which {{iusc}}) uses has been deprecated for a while now. See T95964sportzpikachu my talkcontribs 10:45, 10 December 2021 (UTC)[reply]
I plan to get to this at some point, but it's not urgent; there's still no good official replacement ("Gadgets 3.0" or whatever number they're on now). So it would just be for the slight performance benefit. Enterprisey (talk!) 04:42, 11 December 2021 (UTC)[reply]
Strong oppose. There was some misinformation going around a year or two ago that iusc was deprecated, but this had no basis in fact. See Template:Install user script#importScript() is not deprecated for more info. I strongly prefer iusc because it is much more readable. –Novem Linguae (talk) 17:52, 7 May 2024 (UTC)[reply]
I switched all my scripts to use {{Lusc}} in 2021 after I was told that it would significantly improve page loading speed, and at the time it seemed to do so. Is that no longer the case? Sdkbtalk 18:06, 7 May 2024 (UTC)[reply]
Interesting. I haven't looked into the performance angle of this. –Novem Linguae (talk) 18:45, 7 May 2024 (UTC)[reply]

Various to-dos

@Enterprisey: Now that phab:T300743 is fixed, I can list the other to-do items that I noticed while looking for XSS issues. These are all suggestions for future development that you can take or leave as you see fit.

  • The gadget should check the content model of script pages before installing them, and only install ones with a content model of JavaScript. In theory, not checking this would allow an attacker to add JavaScript code to a wikitext page in a trusted user's userspace (which anyone can edit), and then trick the victim into installing the attacker's code while the victim believes it is written by the trusted user. In practice, this attack is stopped by MediaWiki setting the X-Content-Type-Options header to "nosniff", which prevents loading scripts from pages that don't have a MIME type of "text/javascript". This could be a problem in very old browsers though, so it would be worth fixing.
  • Import.fromJs is broken for scripts with double or single quotes in them (e.g. User:Example/foo"bar.js). The script trims the first quote character and everything after it, which means it tries to install e.g. User:Example/foo instead. Fixing this would mean parsing the string with a JavaScript parser instead of with regex - unfortunately, I'm not aware of an easy way of doing that without installing third-party libraries, so this could be a lot of work.
  • The cookie attributes of the open_script_installer need fixing. Firefox was giving the following warning in the console: Cookie “open_script_installer” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite.
  • There are some missing translation strings: see the latter half of the diff of the Chinese translation to see where they are. They also use different pipe and bracket characters, so those might be worth including as well. The mw.Message class might be worth a look into for this.

Best — Mr. Stradivarius ♪ talk ♪ 13:33, 7 February 2022 (UTC)[reply]

unable to uninstall autoFormatter & cleanDiff

@Enterprisey: i am unable to uninstall both autoFormatter & cleanDiff on common.js. can you please look into it. <_> jindam, vani (talk) 13:56, 27 December 2022 (UTC)[reply]

Links: meta:User:TMg/autoFormatter, de:Benutzer:TMg/cleanDiff.js. These are both non-English Wikipedia user scripts, which is probably why this gadget didn't work. –Novem Linguae (talk) 17:55, 7 May 2024 (UTC)[reply]

Recognize Full Protection

@Enterprisey Currently, the script claims that Wikipedia:AutoEd/complete.js is insecure, in spite of the full protection. Could support be added? Aaron Liu (talk) 16:56, 13 September 2023 (UTC)[reply]

Should script-installer add userscript pages to the watchlist?

Working on userscripts sometimes requires discussion. Because script-installer is a gadget, this talk page is relatively active, but this is not true for all userscripts. In a recent case, I posted on the talk page of the author, because the script didn't have an existing talk page (both documentation and the code talk pages don't exist at the time of writing). However, in another case I created a talk page corresponding to the script's documentation page and pinged the author.

Technically, due to backlinks generated by automatic script installation, I could figure out all the users, but pinging or messaging them would be way too much spam, which is disruptive.

What if script-installer automatically added/removed the pages (documentation and .js) of a userscript being installed/uninstalled to the watchlist? This would keep the users informed of any updates that might affect them, and maybe encourage their participation in discussions.

On the other hand, such automatic meddling with the watchlist might annoy some users. —⁠andrybak (talk) 13:11, 4 June 2024 (UTC)[reply]

Andrybak, it could be added as a default-on preference that can be configured in the common.js/skin.js page, like nav popups has. — Qwerfjkltalk 16:24, 4 June 2024 (UTC)[reply]
Is the proposal to automatically add to your watchlist any user script installed with this gadget? I wouldn't personally be interested in that. I've installed around 50 user scripts, I think, and I don't have a reason for them to be on my watchlist. Please correct me if I'm misunderstanding. –Novem Linguae (talk) 16:39, 4 June 2024 (UTC)[reply]
Your understanding of the proposal is correct. With Qwerfjkl's preference idea, it will be possible to disable this functionality. —⁠andrybak (talk) 16:52, 4 June 2024 (UTC)[reply]

I have implemented this proposal in my sandbox: Special:Diff/1231540064/1231548208. During installation, the gadget will automatically add the source code page (example: User:Shubinator/DYKcheck.js) and the documentation page (example: User:Shubinator/DYKcheck) to the watchlist. During uninstallation, the gadget will automatically remove the pages from the watchlist. The customization of this automatic watching/unwatching feature can be done via two new options:

window.scriptInstallerWatch = false; // disable automatic watching
window.scriptInstallerUnwatch = false; // disable automatic unwatching

There are two options rather than one, because there are use-cases for all four combinations:

  1. the default is both automatic watching and automatic unwatching are enabled – for users who want to keep track only of scripts they currently have installed
  2. disable only watching for people who don't want scripts on their watchlists (≈ Novem Linguae's use-case)
  3. disable only unwatching for people who want to keep tabs on scripts that they've uninstalled, but, for example, might want to install in the future, when it shows up in their watchlist
  4. disable both watching and unwatching for people who want to control their watchlist manually (current status quo)

What do you think? —⁠andrybak (talk) 22:27, 28 June 2024 (UTC)[reply]

Talk page watchers, is anyone else interested in this feature? I do not think this should default to on without consensus, and maybe not even be included at all without consensus (since if this were to be mostly unused, it would increase technical debt) –Novem Linguae (talk) 22:31, 28 June 2024 (UTC)[reply]
Novem Linguae, I can't imagine ever using something like this, but I'm probably in the minority when it comes to using scripts. — Qwerfjkltalk 21:00, 29 June 2024 (UTC)[reply]
I would be strongly opposed to making it the default (opt-out). Script users often don't understand (or forget over time) which script is responsible for which part of their site experience, and adding the script/doc to their watchlists may overburden (and eventually discourage) script authors when something goes wrong. Instead lead them to WP:VPT, where help (e.g. forking) is more likely to be found. Nardog (talk) 01:31, 30 June 2024 (UTC)[reply]

Confusing history of importScript

Due to some confusing discussions around functions importScript and mw.loader.load, I have attempted to reconstruct the events, which lead to the confusion.

I've considered different places for this discussion. The most automated way of installing script nowadays is the installer gadget, so I selected this talk page. —⁠andrybak (talk) 12:27, 7 June 2024 (UTC)[reply]

Timeline of importScript

Feel free to edit this timeline if you find mistakes, anything relevant turns up, or to improve formatting. —⁠andrybak (talk) 12:27, 7 June 2024 (UTC)[reply]

Added Template talk:Install user script#Protected edit request on 3 December 2018. —⁠andrybak (talk) 12:35, 7 June 2024 (UTC)[reply]
Added Gerrit links corresponding to the existing Phabricator links for commits. —⁠andrybak (talk) 18:24, 7 June 2024 (UTC)[reply]
Added quote from 2022-09-01 commit. —⁠andrybak (talk) 20:16, 7 June 2024 (UTC)[reply]
Added Wikipedia talk:User scripts/Archive 6#importScript() vs mw.loader.load(). —⁠andrybak (talk) 13:11, 4 August 2024 (UTC)[reply]
Would it be helpful to color code the timeline? Something like   or Gray X symbolNg for situations when the person thought the function was deprecated and Green checkmarkY for when they didn't. —⁠andrybak (talk) 13:29, 7 June 2024 (UTC)[reply]

Discussion – Confusing history of importScript

It seems that most of the confusion was caused by the discrepancies between three sources of information: source code, mw:ResourceLoader/Legacy JavaScript, and mw:ResourceLoader/Migration guide (users). Hopefully this will clear up any confusion and clarify why people were confused. Let me know, if there are any other discussions.

Courtesy pings to other participants of discussions and tickets: He7d3r, Skizzerz, Gary, Mdowdell. —⁠andrybak (talk) 12:27, 7 June 2024 (UTC)[reply]

As of 7 June 2024, the up-to-date information is at Template:Install user script#importScript() is not deprecated (Special:Permalink/1197700514). —⁠andrybak (talk) 13:00, 7 June 2024 (UTC)[reply]
What if we added a note to the page mw:ResourceLoader/Migration_guide_(users)#MediaWiki_1.29, similar to Template:Install user script#importScript() is not deprecated? —⁠andrybak (talk) 13:49, 7 June 2024 (UTC)[reply]
More courtesy pings for participants of the 2021 VPT discussion: Sdkb, Enterprisey, Berchanhimez, Jon (WMF), Jonesey95, CaptainEek, GhostInTheMachine, Ladsgroup, xaosflux, SD0001. —⁠andrybak (talk) 13:07, 7 June 2024 (UTC)[reply]
That's a lot of pings. Does this issue need all this attention? I feel it has been resolved for a year or two. –Novem Linguae (talk) 13:34, 7 June 2024 (UTC)[reply]
Maybe it doesn't. I'm trying to ensure that the misinformation doesn't spread. For me personally, the starting point was Izno's 2021 comment (i.e. I was thinking it was deprecated), so this wall of text started as a draft for a message on his talk page asking for clarification, because I couldn't find what he was referring to about MediaWiki 1.29. I also had a vague memory of your Special:Diff/1222746631 Special:Diff/1222747277, but I failed to find it for a long time during the investigation. —⁠andrybak (talk) 13:49, 7 June 2024 (UTC)[reply]
Fixed incorrect diff link in this old message of mine. —⁠andrybak (talk) 00:19, 1 September 2024 (UTC)[reply]
Thanks @andrybak for putting together the very detailed history. At the time I added that comment I thought importScript had been deprecated (don't remember where I got that from tbh), but @Novem Linguae has already clarified that above. However I do agree with @Novem Linguae that there isn't much left to do regarding importScript vs mw.loader.load. ―sportzpikachu my talkcontribs 14:20, 7 June 2024 (UTC)[reply]
I'm still curious whether there's any performance difference between the two options. If not, importScript is certainly cleaner. Sdkbtalk 15:48, 7 June 2024 (UTC)[reply]
There is no performance difference (and there never was). Both functions use exactly the same mechanism for loading a script. Furthermore, if the same script is importScripted twice, it only loads once – which is not the case while using mw.loader.load, so in a way importScript is faster. – SD0001 (talk) 06:05, 8 June 2024 (UTC)[reply]
That is an impressive history. Nice detective work. – Jonesey95 (talk) 01:34, 11 June 2024 (UTC)[reply]
importScript() is not deprecated but it will be. Seeing from the patches such as gerrit:206078 and gerrit:203293 the intent is clear. Further use will make the migration harder in the future. Ladsgroupoverleg 18:06, 7 June 2024 (UTC)[reply]
Ladsgroup, the Gerrit links you've provided correspond to the items for year 2015 in the timeline above – I've used slightly different view via Phabricator*. Note the chronological order of these two patches:
  1. Apr 14, 2015 gerrit:203293 "wikibits: Mark importScript/importStylesheet utilities as deprecated"
  2. Apr 23, 2015 gerrit:206078 "wikibits: Un-deprecate importScript and importStylesheet // Per discussion on T95964. No suitable replacement exists yet."
* in addition to Gerrit and Phabricator, there is also the third view via Gitiles (which is integrated into Gerrit): 5c5e090 (wikibits: Mark importScript/importStylesheet utilities as deprecated, 2015-04-11), 8eb99c9 (wikibits: Un-deprecate importScript and importStylesheet, 2015-04-23). The dates can be confusing, because there are three of them for each patch/commit: author date, committer date, and submitted.
Hope this helps. —⁠andrybak (talk) 18:18, 7 June 2024 (UTC)[reply]
importScript has major code readability advantages over mw.loader.load. I definitely hope it is never deprecated. If it comes up in phab or gerrit I plan to share my opinion.
The author of gerrit:203293 mentioned above later said For local imports, call importScript(). This is not, and never was, deprecated. For cross-wiki and other less trivial use cases, call mw.loader.load(), which makes me wonder if there is still an intent to deprecate it. –Novem Linguae (talk) 19:36, 7 June 2024 (UTC)[reply]
I've added another relevant commit to the timeline, which mentions mw:Gadgets 3.0 (phab:T36958), and suggests that importScript is here to stay for quite a long time.
For context, the ticket for Gadgets 2.0phab:T31272: is still in status "Open", because it seems to be waiting on T153339, T125582, T31398, and T110014. However, a lot of other subtasks of T31272 are already implemented. T31272 also links to mw:Extension:Gadgets/Roadmap, which is marked as obsolete, which is confusing. The latest comments under T31272 are from April 2024 with consideration to integrate Gadgets 2.0 into an even bigger project – mw:Growth/Community configuration (phab:T323811), but this integration doesn't seem to have happened – the gadgets are only mentioned in T323811 under "Possible usecases". —⁠andrybak (talk) 20:33, 7 June 2024 (UTC)[reply]
The undeprecation patch is a decade old and mentions "no suitable replacement exists" - which still holds true. It's not like it will be deprecated until a replacement exists - which arguably is Gadgets 3 (phab:T36958). – SD0001 (talk) 06:10, 8 June 2024 (UTC)[reply]

"Normalize" function breaks CSS imports

Edit Jack who built the house (talk) 15:50, 13 July 2024 (UTC)[reply]

Looking at documentation of function mw.loader.load, it seems that just avoiding spaces inside the quoted 'string' or "string" of the parameter could be enough: Special:Diff/1234315858.
A more radical, more hacky approach is to remember which quotation marks—single ' or double "—were used and check if the part of the match, where we're expecting a singular parameter, includes the remembered quotation mark: Special:Diff/1231549277/1234730968. —⁠andrybak (talk) 18:54, 13 July 2024 (UTC)[reply]

Add user-select: none to #script-installer-top-container

Otherwise, when selecting the page title, the selection spreads to the script's links:

Jack who built the house (talk) 12:41, 16 August 2024 (UTC)[reply]

I've been using it in my sandbox version. Seems good so far, no issues found. —⁠andrybak (talk) 00:05, 21 August 2024 (UTC)[reply]
Is there something wrong with making links selectable? This is the standard behavior for almost all links on websites, right? Might be counter-intuitive to turn it off. –Novem Linguae (talk) 21:56, 27 August 2024 (UTC)[reply]
I think this is pretty much like how .mw-editsection [ edit | edit source ] has user-select: none. Jack who built the house (talk) 23:59, 27 August 2024 (UTC)[reply]
It makes copying the page title harder, as triple-clicking it also ends up selecting the install link. This is different from, for instance, how you can triple-click a section header to select just the header, not the edit links. – SD0001 (talk) 15:12, 28 August 2024 (UTC)[reply]
 Done (except I added it to the CSS rather than the JS) * Pppery * it has begun... 16:15, 9 November 2024 (UTC)[reply]

Interface-protected edit request on 20 August 2024

On MediaWiki:Gadget-script-installer-core.js#L-590, please replace the line with the following:

const scriptName = this.id.replaceAll("_", " ");

This will convert underscores to spaces, which will prevent duplicate script installs and false reports that a script that is installed isn't installed. Awesome Aasim 16:57, 20 August 2024 (UTC)[reply]

Use .replace(/_/g, " ") instead of .replaceAll("_", " "), which is not supported by some Grade A browsers. Nardog (talk) 01:43, 21 August 2024 (UTC)[reply]
Also per the style followed in the script, the space should be in single quotes. – SD0001 (talk) 10:50, 27 August 2024 (UTC)[reply]
@Awesome Aasim:: Do you have an example of this actually occurring in the wild? From my brief testing, it looks like the element id that this is keying off of is alredy normalized with respect to spaces/underscores. Writ Keeper  17:02, 31 August 2024 (UTC)[reply]
@Writ Keeper It is happening to me. I install a script and in some places it shows as not installed and in other places it shows as installed. It is a mess. Awesome Aasim 17:49, 31 August 2024 (UTC)[reply]
I was looking for some specifics. What script, where are you seeing this, where are you not seeing this, etc. Writ Keeper  21:17, 31 August 2024 (UTC)[reply]
I just created an example script to demonstrate my point. See User:Awesome Aasim/example script.js and User:Awesome Aasim/example script. Awesome Aasim 23:10, 31 August 2024 (UTC)[reply]
That works correctly for me. What behavior are you seeing that seems wrong? Writ Keeper  00:53, 1 September 2024 (UTC)[reply]
For one, the script shows with underscores. The other, the script shows with spaces. See [1]. Awesome Aasim 02:30, 1 September 2024 (UTC)[reply]
 Not done There does not seem to be sufficient agreement here to make an edit to a widely used gadget. * Pppery * it has begun... 16:16, 9 November 2024 (UTC)[reply]
I don't think consensus is needed to fix an obvious bug. User:Nardog seems to have a good suggestion. Awesome Aasim 19:51, 22 November 2024 (UTC)[reply]
Ping User:Nardog for above. Awesome Aasim 19:52, 22 November 2024 (UTC)[reply]

So after a bit of testing, I found the culprit. There are several places where there can potentially be underscores in the title. One of them is the "href" attribute linking back to the script.

After assigning scriptName, replacing all the underscores with spaces seems to work. Reopening this edit request with two things:

  1. MediaWiki:Gadget-script-installer-core.js#L-590 should read
    const scriptName = this.id.replace( /_/g, ' ' );  // if the script name happens to contain underscores, this purges it
    
  2. MediaWiki:Gadget-script-installer-core.js#L-610 should have the following added before the JS filtering line:
    scriptName = scriptName.replace( /_/g, ' ' ); // if the script name happens to contain underscores, this purges it
    

See [2]. Awesome Aasim 20:15, 22 November 2024 (UTC)[reply]

I'm not going to decline this request twice, because that's poor form, but the discussion with Writ Keeper above shows that this clearly is not an obvious bug. * Pppery * it has begun... 00:14, 23 November 2024 (UTC)[reply]

Interface-protected edit request on 28 August 2024

Define background color using CSS variables, for night mode compatibility. The header background color will change slightly (from #CAE1FF to #A3D3FF), as there is no perfectly matching CSS variable.

#script-installer-panel { width: 60%; border: solid lightgray 1px; padding: 0; margin-left: auto; margin-right: auto; margin-bottom: 15px; overflow: auto; box-shadow: 5px 5px 5px #999; background-color: #fff; z-index: 50; } #script-installer-panel header { background-color: #CAE1FF; display: block; padding: 5px; font-size: 1.1em; font-weight: bold; text-align: left; }
+
#script-installer-panel { width: 60%; border: solid lightgray 1px; padding: 0; margin-left: auto; margin-right: auto; margin-bottom: 15px; overflow: auto; box-shadow: 5px 5px 5px #999; background-color: var(--background-color-base, #fff); z-index: 50; } #script-installer-panel header { background-color: var(--background-color-content-added, #a3d3ff); display: block; padding: 5px; font-size: 1.1em; font-weight: bold; text-align: left; }

Andumé (talk) 17:32, 28 August 2024 (UTC)[reply]

I haven't had a chance to try and test this in a sandbox or anything, but has anyone else had a chance to review this request? From the get-go, it seems to be pretty harmless... ~Oshwah~(talk) (contribs) 20:38, 11 September 2024 (UTC)[reply]
Agreed that this looks harmless. This might be a good one to just make the edit directly to the gadget, then quickly test it by adding &debug=1 to the URL to clear the cache. Then take a peek at #script-installer-panel on a user's JS page by clicking "Manage user scripts" and make sure things don't look too crazy. In fact now that I typed this out I think I'll just do it :) One sec. –Novem Linguae (talk) 20:51, 11 September 2024 (UTC)[reply]
Looks good to me.  DoneNovem Linguae (talk) 20:55, 11 September 2024 (UTC)[reply]

Move STRINGS to separate JSON file

Hi! Can anyone please put the STRINGS ​​in a separate JSON (for example)? This will allow loading the script directly from enwiki, and changing a separate file if localization is needed. Iniquity (talk) 17:18, 17 November 2024 (UTC)[reply]