Extension:SecureHTML
 |
The author of this extension is no longer maintaining it! Meaning any reports for additional features and/or bugfixes will more than likely be ignored. Volunteers are encouraged to take on the task of developing and maintaining it. As a courtesy, you may want to contact the author. You should also remove this template and list yourself as maintaining the extension in the page's {{extension}} infobox. |
 |
WARNING: the code or configuration described here poses a major security risk.
Problem: Vulnerable to Cross-site scripting attacks, because it passes user input directly to the browser. This may lead to user accounts being hijacked, among other things. |
 Release status: beta |
|
|---|---|
| Implementation | Tag, User rights |
| Description | This extension securely inserts HTML section(s) or pages on a wiki page. |
| Author(s) | Jean-Lou Dupont |
| Last version | 2.3.0 |
| MediaWiki | 1.10.0 - 1.15.x |
| License | No license specified |
| Download | SVN See SVN ($Id$) |
| Check usage (experimental) | |
This extension allows editors to add HTML section(s) or pages on a wiki page. This extension can only be used on protected pages, but allows an editor to add a protected template on an unprotected, editable page. The extension uses the '$wgRawHtml' global variable of Mediawiki.
Contents |
[edit] Features
- Cascading: if the base page is allowed to use 'html' tags, then all included pages will be processed as if they could.
- Namespace exemption: configured namespaces are exempted from 'protection' requirement
- Parser cache friendliness:
- The extension must be enabled to continue the support of the inserted content
- Support for the parser function {{#html}}
- {{#shtml}} is very well suited for securely embedding widgets such as the ones created with SproutBuilder or GoogleGadgets.
- The page where the shtml parser function is used does not need to be protected but the template page where the javascript/html widget code is located must though.
- This behavior makes it easy for administrator to allow selected widgets to be included by the user population of the wiki
[edit] Usage
[edit] < html> tag
- Use the standard <html> tags (see Manual:$wgRawHtml) within a protected page. One can either protect the page before or after the inclusion of the said tag(s).
- Complete usage example for using iframes tag:
<html><iframe src="http://stim.com/" width=600 height=500></iframe></html>
[edit] {{ #html}} parser function
Use: {{#html:page_name [|optional parameters]}} where:
page_nameis the page name of the article to includeoptional parametersare of the form:param_x = value_x | param_y = value_y
The page where this parser function is used must be edit protected.
[edit] {{ #shtml }} parser function
Same usage as for #html with difference that the origin page where this parser function is used does not need to be edit protected. The target page's edit protection attribute ensures security.
[edit] Example
[edit] Test Page
{{#html:Template:Page1|param1=value1}}
[edit] Template:Page1
This parameter will be replaced when called from Test:Page >> {@{param1}@}
[edit] Required extensions
- StubManager extension
- ParserFunctionsHelper extension is optional and only required for the parser function #shtml
[edit] Installation
See the Mediawiki Extension table entry "download" above.[1]
[edit] LocalSettings.php
Extension:ExtensionManager: See footnote[2]
- Add the following to LocalSettings.php, if the extension was downloaded from Jean-Lou Dupont's MediaWiki SVN directory (link in the download entry of the table above)[2]:
require_once( "$IP/extensions/SecureHTML/SecureHTML.php" );
- Since this Extensions is depending on StubManager, add the line after the StubManager include, or else your Wiki won't work.
[edit] PEARPEAR is a repository of PHP software code.
require 'MediaWiki/SecureHTML/SecureHTML.php';
[edit] Upgrades through PEARSometimes, it is necessary to clear PEAR's cache in order to perform upgrades.
or use the force method:
[edit] PEAR Web FrontendFor easier remote package management, PEAR Frontend WEB can be installed. Installation notes can be found here. An example of the WEB frontend is available here. |
[edit] RSS feed
To keep up-to-date with this channel, use the following RSS feed__
.
[edit] Notes
[edit] Other Extensions From the same author
Consult User Jldupont's page.
- ↑ The most recent release is always available through the extension's PEAR and SVN repositories. This page is not necessarily up-to-date.
- ↑ 2.0 2.1 2.2 Extension:ExtensionManager does not require any modification to LocalSettings.php because ExtensionManager includes the extension.
Note that if PHP code caching is in place (e.g. APC, eAccelerator), then to successfully complete the installation a cache flush might be needed. - ↑ Modifications to
LocalSettings.phpis only necessary if not using Extension:ExtensionManager
[edit] Reason for the {{ #html}} parser function
It is sometimes useful to include, in a secure fashion, a template containing 'raw html' in another page. This enables, for example, the construction of gadgets.
Through the added functionality of parameterization using the {@{parameter_here}@}, the said templates can be customized on a per-page basis without resorting to convoluted escape patterns (e.g. </html>{{{parameter_here}}}<html>) which renders page viewing difficult to humans.
[edit] History
- added namespace exemption functionality i.e. namespaces where article do not need to be protected in order to use 'html' tags
- use
SecureHTMLclass::enableExemptNamespaces = false;to turn off - use
SecureHTMLclass::exemptNamespaces[] = NS_XYZ;to add namespaces
- use
- enhanced with functionality to 'add' content to the document's 'head' section
- Removed dependency on ExtensionClass
- Enabled for 'StubManager'
- Added 'addExemptNamespaces' function
[edit] 1.1.0
- Added, by default, NS_MEDIAWIKI namespace to the exemptNamespaces
[edit] 2.0.0
- Addition of the parser function
{{ #html}}
[edit] 2.1.0
- Addition of the parser function #shtml (requires Extension:ParserFunctionsHelper)
[edit] Todo
- Fix for allowing more customization of 'exempt' namespaces even when using StubManager
- Think about renaming the extension to be more distinct from Extension:Secure HTML
[edit] See also
- Extension:Secured HTML - Similar name, different extension which restricts <html> sections to protected pages/namespaces.
- Extension:Secure HTML
- Extension:Anysite - Embeds a website in a wiki page without touching HTML settings.
- Extension:Secured_PHP
- Extension:SecureWidgets
| Language: | English • 日本語 |
|---|
