Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

What is the best solution to display field "Body" outside Vanilla


I need to post a discussion and first 5 comments outside Vanilla.

I thought at first bootstrap.php load and do a simple SQL query.

It works perfectly but impossible to use the function "FormatBody()" because some classes and functions are loaded via the controller.

I looked to use the API but apparently, it is not possible to display the comments ?

What is for you the best solutions to display the field "Body" discussions and comments with a report similar to the function "FormatBody()" ?

Thanks a lot for your help !


  • R_JR_J Ex-Fanboy Munich Admin

  • Thank R_J !!

    It is possible to export in JSONP (multiple domains) ?

    Exemple :

  • R_JR_J Ex-Fanboy Munich Admin
    edited September 2015

    Sorry, but I do not know anything about JSONP. Looking at the source, I found this:✓&q=jsonp which shows that there is a config setting Garden.AllowJSONP
    but it is not really useful by now (I guess I'll even create an Issue on GitHub, because the way it is used by now is nonsense...)

    Maybe you can create a PHP page on your server which pulls a discussion like that: with curl and then get the results of that PHP page from your server with JS?

    But honestly, I'm a js noob and there might be millions of better alternatives!

  • x00x00 MVP
    edited September 2015

    You should able to set Garden.AllowJSONP in config.

    you need to put the callback=something on your url. In jquery you can do this automatically as you probably know.

    You must sanitize Body. Don't assume it is sanitised. This might be hard to do without relay/proxying, unless you are happy to strip tags.

    grep is your friend.

  • mtschirsmtschirs ✭✭✭
    edited September 2015

    Don't activate JSONP. It is a security risk. Look for alternative cross domain access methods such as CORS etc.

  • @mtschirs said:
    Don't activate JSONP. It a security risk. Look for alternative cross domain access methods such as CORS etc.

    It depends what you are doing with it. If you are stripping everything ana just using text it is not a problem.

    Yes CORS is more restrictive yes, but support is still sketchy.

    grep is your friend.

  • ClémentClément
    edited September 2015

    I really appreciate your help! =)

    Finally, this solution should not really me.
    Using the output format "VIEW", I get all the html, not just the "Body" and using the output format "DATA", I get the "Body" field, but without using the function "formatBody()"

    I found a solution that consists of loading a discussion. After, I can use the function "formatBody()".


    // Create and configure the dispatcher.
    $Dispatcher = \Gdn::dispatcher();
    $EnabledApplications = \Gdn::ApplicationManager()->EnabledApplicationFolders();
    $Dispatcher->PassProperty('EnabledApplications', $EnabledApplications);
    // Process the request.


    $body = new \stdClass();
    $body->Body = 'A test : =)';
    $body->Format = 'Wysiwyg';
    $message = formatBody($body);


    I'll try to use JSONP the coming days.

    I did not know CORS... Interesting !

    Why would JSONP insecure? For me it is the same thing of JSON but allows Javascript to retrieve with other domains.

  • @Clément there is no point force loading the framework to get a discussion, if you do that you might as well create an endpoint as a plugin and use the model directly.

    Another idea is to create a vanilla module. Then you can load the module as is e.g.

    grep is your friend.

  • x00x00 MVP
    edited September 2015

    Obviously you have to work around cross domain. Is this on the same server or different?

    grep is your friend.

  • Yes, it is around cross domain on the same server.

    I must finish this dev quickly.
    I would study these options after launching the site.

    I know, my solution is not pro... just provisoir.

    Again thank you for your help!

  • See this data

    Data is base64 encoded. There are jQuery libraries to decode it.

    If you wanted to create you own module this is an option. It can be formatted as required as a html fragment.

    If it cross domain but on the same server, you don't have to cross the domain. You can create server rule for that one endpoint that you need on the same domain. The main downside is session reliant stuff data.

    However if you don't want to do that you also have JSONP.

    grep is your friend.

  • x00x00 MVP
    edited September 2015

    The reason for .json is if you are cross domain a html fragment is not valid JavaScript with is what JSONP works on. JSON and JavaScript object are the same so you can parse JSON as JavaScript. JSONP is already a JavaScript script the json is passed to a callback function as an argument. e.g.

    random_callback({"foo":"bar"}); This function has been predefined as a handler so it name is passed to the server as the callback name to wrap the JSON, so the correct function gets called and the function will return the object (or process it directly).

    Usually it is some randomly generated name, jquery does this automatically.

    grep is your friend.

Sign In or Register to comment.