etc

> It seems already been attempts to add pgonly attribute to article_custom tag. Sure, including mine, few years ago :-) It didn't get much attention, but I'm not desperate. The...

The initial patch (enable pages count for article_custom) is merged into dev now. The rest of this branch allows for finer custom fields match in article(_custom) and related_articles.

Thanks @Bloke. I thought we should postpone it to the unlimited custom fields era, also because `separator` could then become part of custom field definition.

@petecooper this branch will be superseded by cf, so eventually including it in dev is only worth considering if dev and cf will not merge in a near future. But...

Thanks Jukka, nice to know you follow! Yep, the recent txp JS is a holly mess, but what user-given values are you talking about in this case? Column names come...

Hard to disagree, like on backups. Jokes apart, thanks, I wrongly presumed that jQuery `html()` wouldn't unescape its string argument. Nothing urges atm, but we need to seriously revise `textpattern.js`...

> Even if the used text presentation was replaced with HTML string presentation of the node contents, it is still wrong and exploitable. I agree on wrong, curious to see...

That's how the partials update was in 4.5.7: ``` $response = '$("'.$p['selector'].'").replaceWith("'.escape_js($p['html']).'")'; ... send_script_response($response); ``` As I get it, all sanitation is done server-side via `escape_js`. Is this fine?

Okay, if "unsafe and potentially exploitable" means broken interface, there is no emergency, thanks for clarification. I'm only an inspired amateur fearing to break something. Sure, we would do it...

+1, sure, please start with `upload_form(:-)`. The speed is not critical on the admin side, imo, and the extra footprint is justified if it helps to avoid code redundancy.