Extension:Secured HTML
 |
This extension stores its source code on a wiki page. Please be aware that this code may be unreviewed or maliciously altered. They may contain security holes, outdated interfaces that are no longer compatible etc. The developer is encouraged and invited to request access to MediaWiki's code repository to address this. |
 |
WARNING: the code or configuration described here poses a major security risk.
Problem: Vulnerable to Cross-site scripting attacks, because it passes user input directly to the browser. This may lead to user accounts being hijacked, among other things. |
 Release status: beta |
|||
|---|---|---|---|
| Implementation | Tag | ||
| Description | Gives allowed users the ability to add raw HTML to pages. | ||
| Author(s) | Shaiaquatalk | ||
| License | No license specified | ||
| Download | see below | ||
|
|||
|
|||
| Check usage (experimental) | |||
This extension allows users with the coding right to add raw HTML to pages, with the {{#html: }} function.
Contents |
[edit] Usage
- Example 1
In any wiki page, insert the following markup:
{{#html: mysite_iframe}}
A user that belongs to the "coders" group must also create a page in the "HTML" namespace, called HTML:mysite_iframe that contains:
<iframe src="mysite.com">
- Example 2
This extension also allows arguments to the substituted during the inclusion phase:
{{#html: any_iframe|target=mysite.com|scroll=no}}
A user that belongs to the "coders" group must also create a page in the "HTML" namespace, called HTML:any_iframe that contains:
<iframe src="{{target}}" scrolling="{{scroll}}">
[edit] Download instructions
Please cut and paste the code found below and place it in $IP/extensions/Secured_HTML/Secured_HTML.php and $IP/extensions/Secured_HTML/Secured_HTML.i18n.php. Note: $IP stands for the root directory of your MediaWiki installation, the same directory that holds LocalSettings.php.
[edit] Installation
To install this extension, add the following to LocalSettings.php:
$wgGroupPermissions['coding']['coding'] = true; require_once("$IP/extensions/Secured_HTML/Secured_HTML.php");
[edit] Code
[edit] Secured_HTML.php:
<?php # create namespace define("NS_HTML",122); define("NS_HTML_TALK",123); $wgExtraNamespaces[NS_HTML] = "HTML"; $wgExtraNamespaces[NS_HTML_TALK] = "HTML_talk"; # protect namespace $wgNamespaceProtection[NS_HTML] = Array("coding"); $wgNamespacesWithSubpages[NS_HTML] = true; $wgGroupPermissions['*']['coding'] = false; $wgGroupPermissions['coding']['coding'] = true; $wgAvailableRights[] = 'coding'; $wgExtensionMessagesFiles['Secured_HTML'] = dirname(__FILE__) . '/Secured_HTML.i18n.php'; $wgExtensionFunctions[] = "wfSecuredHTMLExtension"; $wgHooks['LanguageGetMagic'][] = 'efHtml_Magic'; $wgExtensionCredits['parserhook'][] = array( 'name' => 'Secured HTML', 'author' => 'Shaiaqua', 'url' => 'http://www.mediawiki.org/wiki/Extension:Secured_HTML', 'description' => 'Lets you include arbitrary HTML in an authorized and secure way', ); function wfSecuredHTMLExtension() { global $wgParser; $wgParser->setFunctionHook( "html", "renderSecuredHTML" ); wfLoadExtensionMessages('Secured_HTML'); } function efHtml_Magic( &$magicWords, $langCode ) { $magicWords['html'] = array( 0, 'html' ); return true; } function renderSecuredHTML( &$parser, $param1 = '', $param2 = '' ) { $title = Title::makeTitleSafe( NS_HTML, $param1 ); if(!$title->exists())return "[[${param1}]]"; // return standard red link if page doesn't exist if(!$title)return false; $revision = Revision::newFromTitle( $title ); if(!$revision)return false; $wikitext = $revision->getText(); if($param2){ $params = explode('&',$param2); foreach($params as $param) { $param = explode('=',$param); $wikitext = str_replace('{{{'.$param[0].'|}}}',$param[1],$wikitext); $wikitext = str_replace('{{{'.$param[0].'}}}',$param[1],$wikitext); } } $wikitext = preg_replace('/{{{[^}]+\|}}}/','',$wikitext); $output = $wikitext; return array($output, 'noparse' => true, 'isHTML' => true); }
[edit] Secured_HTML.i18n.php:
<?php $messages = array(); $messages['en'] = array( 'group-coding' => 'Coders', 'group-coding-member' => 'Coder', 'grouppage-coding' => '{{ns:project}}:Coding', 'right-coding' => 'Input raw HTML', );
[edit] See also
- Extension:SecureHTML - Similar name, different extension which restricts <html> sections to protected pages/namespaces.
- Extension:Secured HTML
- Extension:Secure HTML
- Extension:Anysite Embeds a website in a wiki page without touching HTML settings.
- Extension:Secured_PHP
- Extension:SecureWidgets
