Aaaaaaand, I’m back as promised! It seems like the fix works! Thanks 
Last I remember hearing of this script didn’t it have like a huge security issue or something? Was that ever fixed or no?
I took TellowKrinkle’s version and fixed the issue where the text of multiline mnemonics goes out of bounds in certain cases. Download from here and paste into TamperMonkey’s editor.
It said that for me too, but it works fine. I think it’s more of a warning than an error.
Nevermind. I just didn’t save it. It works great for me.
Time to put in all the mnemonics ideas I’ve had. I hope this takes off like it promised.
I just discovered this script and am looking forward to using it. But it appears to not be working on item pages for me, just lessons and reviews. Anyone else seeing this? Is the script still in use by anyone, or is it basically defunct?
I use it but it’s really buggy and it was obviously abandoned, no official updates since 2015.
Honestly community mnemonics is such a brilliant idea that is sad to see that this script was abandoned.
Indeed sad that’s abandoned. Awesome script!
Yeah, there have been a few instances where even in it’s broken state this script gave me a mnemonic that worked much better for me than the ‘official’ one.
Would be amazing if the content could be rescued somehow and ported into a new, actually functional, script.
Ahhhhh no! It’s abandoned? 
Well. I will keep it for the parts that work at least. I hope that someone with the skill and interest tries picking it up again.
Shameless bump to see if a Script Creator Angel could pick this up. It would be so nice…
TL;DR: Update
https://github.com/Dakes/WKCommunityMnemonics/raw/main/WK%20Community%20Mnemonics.user.js
Hey guys! 
While looking for plugins to improve WaniKani I also found this pearl but noticed it was abandoned. And since no one seemed interested to fix it I decided to take the challenge myself. At this point I have only applied the fixes by TellowKrinkle and fixed this “c” user bug. At least for me it is fully working now, as it should be. I have created a Github repo for it: GitHub - Dakes/WKCommunityMnemonics: This script allows WaniKani members to contribute their own mnemonics which appear on any page that includes item info.
If you find any more bugs, you can create an Issue there to let me know. (Or post here).
I am still a noob with JavaScript and Web development but everone has to start off somewhere and I am still only Level 3, so I will have plenty time until I reach Level 60. 
To install the new Version open this Link: https://github.com/Dakes/WKCommunityMnemonics/raw/main/WK%20Community%20Mnemonics.user.js
(The Greasyfork Version referenced in the code differs slightly from the GitHub version, since it does not allow external code via @ require, but Greasyfork is only used to check the Version anyway [Already on my TODO list], But I noticed that the external code used, tabletop, is deprecated anyway. So theres quite a bit to do. )
@AtticusD
@Coddiwomple
@cehrlich
@_Mashira
@ajcr
@sporadic
@anon65123705
@MultipleMono
@TellowKrinkle
@Sky20
Cool stuff. Very much appreciated!
Hey all! Some security concerns about this particular script were brought to our attention today, and we’re working with @Samuel-H and @Dakes to address them.
I asked that access to the Google Sheet that drives this userscript be set to read-only, which is now the case. That should protect everyone from the main avenue of attack.
I know it turns off adding new mnemonics, but I think it’s a fair compromise: it lets people use the mnemonics safely, gives everyone the chance to enjoy the holidays, and buys the authors some time to revise the script (if they want).
Thanks to everyone for the quick action.
For @Samuel-H and @Dakes, if you want to fix your script, I think some of the fixes that people have proposed won’t work. For example, if you just run the existing pre-submission validation code also before content is displayed, it won’t work because that code does not block javascript in all cases. For example, it would not block javascript executed by <img src="any valid image url" onload="alert();">. There are a lot of corner cases, so I think the best approach would be one of the following (or ideally, implement them both as an extra precaution)
-
Convert any user content the scripts wants to display into a
data:url, then create an iframe with the sandbox attribute and set the src of the iframe to the data url. (Importantly, setting the src of the iframe should be done only after giving it the sandbox attribute.) By default, sandboxed iframes block all javascript and also prevent other types of potentially unwanted/malicious behavior. The only annoyance is that they will need to set the size of the iframe in your script, but I think this StackOverflow question has a solution for that. (I would stick with the accepted answer I linked because some of the other answers usecontents()and I’m not sure if that is safe. -
Do what @sheodox suggested:
Note though that #2 is probably less reliable. I’m happy to audit whatever implementation you eventually decide on.
Hello everybody, @oldbonsai @est_fills_cando
I will, as proposed, exchange the HTML tags, used for highlighting by something, that is also a little more user friendly ([k]kanji[/k] etc.) and replace them by the actual highlighting tags.
I will also sanitize all Data from the Spreadsheet, as soon as it is read, from any HTML tags. As well, as all Data being input by the user.
I will also write a script to convert all tags in the Spreadsheet to the new Syntax, so that old Mnemonics will still work properly.
When I am done with this I will look into this data url and iframe thing. But I am not sure, if it will actually be needed then.
I am also worried about everyone, who is still using the old version. As long as Samuel-H isn’t updating his version at GreasyFork with a reference to the new code, these people will never know, there is a new version, unless they look here.
But I will probably just contact him on GitHub over the next few days.
In order to make sure your code for transforming the markup into html is secure and reliable, you should write separate code that parses the data into a tree and separate code that serializes the tree. (Don’t just do regex replacement or try to convert the markup into HTML in-place. That is too easy to do in a way that is insecure.) You should also make sure your code detects and throws an error on invalid markup like [k]kanji[k][/k].
Again, writing parsing and serialization code can be fairly error prone. I just want to stress to avoid any temptations to do something quick and dirty or take shortcuts in the code, because doing so often leads to security problems.
Edit: Still, just using an iframe with the sandbox attribute probably shouldn’t be the only protection because apparently, there have been security bugs allowing one to bypass the sandbox attribute as recently as a year ago, maybe less.
I thought @oldbonsai said in his post that @Samuel-H made his sheet read only too, or did I misunderstand?