User talk:Enterprisey/script-installer

This is a subpage of Enterprisey's talk page, where you can send him messages and comments.

Put new text under old text. Click here to start a new topic. New to Wikipedia? Welcome! Learn to edit; get help. Assume good faith Be polite and avoid personal attacks Be welcoming to newcomers Seek dispute resolution if needed

Archives: 1

Feature request: generate code that matches {{subst:iusc}}

Latest comment: 28 days ago4 comments3 people in discussion

Here's my common.js right now.

importScript( 'User:Enterprisey/script-installer.js' ); // Backlink: User:Enterprisey/script-installer.js
importScript('User:Enterprisey/easy-brfa.js'); // Backlink: User:Enterprisey/easy-brfa.js
importScript('User:Enterprisey/cv-revdel.js'); // Backlink: User:Enterprisey/cv-revdel.js
importScript('User:Enterprisey/reply-link.js'); // Backlink: User:Enterprisey/reply-link.js
importScript('User:Enterprisey/talk-tab-count.js'); // Backlink: User:Enterprisey/talk-tab-count.js
importScript('User:Enterprisey/user-tabs-on-contribs.js'); // Backlink: User:Enterprisey/user-tabs-on-contribs.js

Does that bug you? It bugs me. Would it be possible to change script-installer to match {{subst:iusc}}'s output? (For that matter, is there a reason it doesn't just generate that subst in the first place? DRY and all that.) Gaelan 💬✏️ 09:39, 24 February 2019 (UTC)Reply

Gaelan, is this still an issue? I checked your common.js and my common.js and couldn't see what you're talking about - I'm probably not understanding your comment. Enterprisey (talk!) 06:28, 13 October 2019 (UTC)Reply

Oh, spacing inside the parentheses. Huh. Yeah, the subst would be fine. I don't feel very strongly about this. I guess I'll consider adding spaces. Enterprisey (talk!) 04:19, 26 January 2021 (UTC)Reply

As of 2024, the gadget is not putting spaces inside parentheses. Judging from the lack of comments on this page, I don't think most users mind. Probably should leave as is. –Novem Linguae (talk) 17:48, 7 May 2024 (UTC)Reply

Global

Latest comment: 2 years ago2 comments2 people in discussion

@Enterprisey: It would be neat if this script was extended to allow installing scripts on global.js, too. ~★ nmaia ^d 01:05, 15 September 2020 (UTC)Reply

Status: I have no plans to work on this, but would be happy to mentor someone if they wanted to work on it themselves. Enterprisey (talk!) 23:53, 13 August 2021 (UTC)Reply

TODO: Bulk deletion support

Latest comment: 2 years ago3 comments2 people in discussion

With checkboxes. Enterprisey (talk!) 04:10, 26 January 2021 (UTC)Reply

  That'd be great! — 𝐆𝐮𝐚𝐫𝐚𝐩𝐢𝐫𝐚𝐧𝐠𝐚 (talk) 23:41, 26 May 2021 (UTC)Reply

Status: I have no plans to work on this, but would be happy to mentor someone if they wanted to work on it themselves. Enterprisey (talk!) 23:53, 13 August 2021 (UTC)Reply

id vs data-

Latest comment: 3 years ago1 comment1 person in discussion

I don't think relying on IDs for getting script paths is a good idea as it results in invalid HTML if the same path appears more than once per page. Shouldn't it use a data-* attribute? Nardog (talk) 23:18, 8 April 2021 (UTC)Reply

scriptManager

Latest comment: 2 years ago3 comments3 people in discussion

@Enterprisey: It would be helpful if you added a function allowing you to add scripts using scriptManager's syntax. ― Qwerfjkl | 𝕋𝔸𝕃𝕂  (please use {{reply to|Qwerfjkl}} on reply) 13:53, 23 May 2021 (UTC)Reply

Agreed. — Guarapiranga (talk) 23:50, 26 May 2021 (UTC)Reply

Status: I have no plans to work on this, but would be happy to mentor someone if they wanted to work on it themselves. Enterprisey (talk!) 23:53, 13 August 2021 (UTC)Reply

Lusc instead of iusc

Latest comment: 28 days ago6 comments4 people in discussion

This script still seems to be using {{Iusc}}, rather than {{Lusc}}, which I understand to be the preferred method. Enterprisey, would it be possible to update that? {{u|Sdkb}} ^talk 03:47, 23 November 2021 (UTC)Reply

@Enterprisey: Any update on this? importScript() (which {{iusc}}) uses has been deprecated for a while now. See T95964 ―sportzpikachu _{my talkcontribs} 10:45, 10 December 2021 (UTC)Reply

I plan to get to this at some point, but it's not urgent; there's still no good official replacement ("Gadgets 3.0" or whatever number they're on now). So it would just be for the slight performance benefit. Enterprisey (talk!) 04:42, 11 December 2021 (UTC)Reply

Strong oppose. There was some misinformation going around a year or two ago that iusc was deprecated, but this had no basis in fact. See Template:Install user script#importScript() is not deprecated for more info. I strongly prefer iusc because it is much more readable. –Novem Linguae (talk) 17:52, 7 May 2024 (UTC)Reply

I switched all my scripts to use {{Lusc}} in 2021 after I was told that it would significantly improve page loading speed, and at the time it seemed to do so. Is that no longer the case? Sdkb ^talk 18:06, 7 May 2024 (UTC)Reply

Interesting. I haven't looked into the performance angle of this. –Novem Linguae (talk) 18:45, 7 May 2024 (UTC)Reply

Various to-dos

Latest comment: 2 years ago1 comment1 person in discussion

@Enterprisey: Now that phab:T300743 is fixed, I can list the other to-do items that I noticed while looking for XSS issues. These are all suggestions for future development that you can take or leave as you see fit.

• The gadget should check the content model of script pages before installing them, and only install ones with a content model of JavaScript. In theory, not checking this would allow an attacker to add JavaScript code to a wikitext page in a trusted user's userspace (which anyone can edit), and then trick the victim into installing the attacker's code while the victim believes it is written by the trusted user. In practice, this attack is stopped by MediaWiki setting the X-Content-Type-Options header to "nosniff", which prevents loading scripts from pages that don't have a MIME type of "text/javascript". This could be a problem in very old browsers though, so it would be worth fixing.
• Import.fromJs is broken for scripts with double or single quotes in them (e.g. User:Example/foo"bar.js). The script trims the first quote character and everything after it, which means it tries to install e.g. User:Example/foo instead. Fixing this would mean parsing the string with a JavaScript parser instead of with regex - unfortunately, I'm not aware of an easy way of doing that without installing third-party libraries, so this could be a lot of work.
• The cookie attributes of the open_script_installer need fixing. Firefox was giving the following warning in the console: Cookie “open_script_installer” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite.
• There are some missing translation strings: see the latter half of the diff of the Chinese translation to see where they are. They also use different pipe and bracket characters, so those might be worth including as well. The mw.Message class might be worth a look into for this.

Best — Mr. Stradivarius ^{♪ talk ♪} 13:33, 7 February 2022 (UTC)Reply

unable to uninstall autoFormatter & cleanDiff

Latest comment: 28 days ago2 comments2 people in discussion

@Enterprisey: i am unable to uninstall both autoFormatter & cleanDiff on common.js. can you please look into it. <_> jindam, vani (talk) 13:56, 27 December 2022 (UTC)Reply

Links: meta:User:TMg/autoFormatter, de:Benutzer:TMg/cleanDiff.js. These are both non-English Wikipedia user scripts, which is probably why this gadget didn't work. –Novem Linguae (talk) 17:55, 7 May 2024 (UTC)Reply

Recognize Full Protection

Latest comment: 8 months ago1 comment1 person in discussion

@Enterprisey Currently, the script claims that Wikipedia:AutoEd/complete.js is insecure, in spite of the full protection. Could support be added? Aaron Liu (talk) 16:56, 13 September 2023 (UTC)Reply

Should script-installer add userscript pages to the watchlist?

Latest comment: 19 hours ago4 comments3 people in discussion

Working on userscripts sometimes requires discussion. Because script-installer is a gadget, this talk page is relatively active, but this is not true for all userscripts. In a recent case, I posted on the talk page of the author, because the script didn't have an existing talk page (both documentation and the code talk pages don't exist at the time of writing). However, in another case I created a talk page corresponding to the script's documentation page and pinged the author.

Technically, due to backlinks generated by automatic script installation, I could figure out all the users, but pinging or messaging them would be way too much spam, which is disruptive.

What if script-installer automatically added/removed the pages (documentation and .js) of a userscript being installed/uninstalled to the watchlist? This would keep the users informed of any updates that might affect them, and maybe encourage their participation in discussions.

On the other hand, such automatic meddling with the watchlist might annoy some users. —⁠andrybak (talk) 13:11, 4 June 2024 (UTC)Reply

Andrybak, it could be added as a default-on preference that can be configured in the common.js/skin.js page, like nav popups has. — Qwerfjkltalk 16:24, 4 June 2024 (UTC)Reply

Is the proposal to automatically add to your watchlist any user script installed with this gadget? I wouldn't personally be interested in that. I've installed around 50 user scripts, I think, and I don't have a reason for them to be on my watchlist. Please correct me if I'm misunderstanding. –Novem Linguae (talk) 16:39, 4 June 2024 (UTC)Reply

Your understanding of the proposal is correct. With Qwerfjkl's preference idea, it will be possible to disable this functionality. —⁠andrybak (talk) 16:52, 4 June 2024 (UTC)Reply