Extension:SecureHTML
 |
The author of this extension is no longer maintaining it! Meaning any reports for additional features and/or bugfixes will more than likely be ignored. Volunteers are encouraged to take on the task of developing and maintaining it. As a courtesy, you may want to contact the author. You should also remove this template and list yourself as maintaining the extension in the page's {{extension}} infobox. |
 |
WARNING: The code or configuration described here poses a major security risk.
Site administrators: You are advised against using it until this security issue is resolved. Problem: Vulnerable to Cross-site scripting attacks, because it passes user input directly to the browser. This may lead to user accounts being hijacked, among other things. Solution: strictly validate user input and/or apply escaping to all characters that have a special meaning in HTML |
 Release status: beta |
|
|---|---|
| Implementation | Tag, User rights |
| Description | This extension securely inserts HTML section(s) or pages on a wiki page. |
| Author(s) | Jean-Lou Dupont |
| Last version | 2.3.0 |
| MediaWiki | 1.10.0 - 1.15.x |
| License | No license specified |
| Download | |
| Check usage and version matrix; code metrics | |
This extension allows editors to add HTML section(s) or pages on a wiki page. This extension can only be used on protected pages, but allows an editor to add a protected template on an unprotected, editable page. The extension uses the '$wgRawHtml' global variable of Mediawiki.
Contents
Features[edit | edit source]
- Cascading: if the base page is allowed to use 'html' tags, then all included pages will be processed as if they could.
- Namespace exemption: configured namespaces are exempted from 'protection' requirement
- Parser cache friendliness:
- The extension must be enabled to continue the support of the inserted content
- Support for the parser function {{#html}}
- {{#shtml}} is very well suited for securely embedding widgets such as the ones created with SproutBuilder or GoogleGadgets.
- The page where the shtml parser function is used does not need to be protected but the template page where the javascript/html widget code is located must though.
- This behavior makes it easy for administrator to allow selected widgets to be included by the user population of the wiki
Usage[edit | edit source]
< html> tag[edit | edit source]
- Use the standard <html> tags (see Manual:$wgRawHtml) within a protected page. One can either protect the page before or after the inclusion of the said tag(s).
- Complete usage example for using iframes tag:
<html><iframe src="http://stim.com/" width=600 height=500></iframe></html>
{{ #html}} parser function[edit | edit source]
Use: {{#html:page_name [|optional parameters]}} where:
page_nameis the page name of the article to includeoptional parametersare of the form:param_x = value_x | param_y = value_y
The page where this parser function is used must be edit protected.
{{ #shtml }} parser function[edit | edit source]
Same usage as for #html with difference that the origin page where this parser function is used does not need to be edit protected. The target page's edit protection attribute ensures security.
Example[edit | edit source]
Test Page[edit | edit source]
{{#html:Template:Page1|param1=value1}}
Template:Page1[edit | edit source]
This parameter will be replaced when called from Test:Page >> {@{param1}@}
Required extensions[edit | edit source]
- StubManager extension
- ParserFunctionsHelper extension is optional and only required for the parser function #shtml
Installation[edit | edit source]
See the Mediawiki Extension table entry "download" above.[1]
LocalSettings.php[edit | edit source]
Extension:ExtensionManager: See footnote[2]
- Add the following to LocalSettings.php, if the extension was downloaded from Jean-Lou Dupont's MediaWiki SVN directory (link in the download entry of the table above)[2]:
require_once( "$IP/extensions/SecureHTML/SecureHTML.php" );
- Since this Extensions is depending on StubManager, add the line after the StubManager include, or else your Wiki won't work.
PEAR[edit | edit source]PEAR is a repository of PHP software code.
require 'MediaWiki/SecureHTML/SecureHTML.php';
Upgrades through PEAR[edit | edit source]Sometimes, it is necessary to clear PEAR's cache in order to perform upgrades.
or use the force method:
PEAR Web Frontend[edit | edit source]For easier remote package management, PEAR Frontend WEB can be installed. Installation notes can be found here. An example of the WEB frontend is available here. |
RSS feed[edit | edit source]
To keep up-to-date with this channel, use the following RSS feed__
.
Notes[edit | edit source]
Other Extensions From the same author[edit | edit source]
Consult User Jldupont's page.
- ↑ The most recent release is always available through the extension's PEAR and SVN repositories. This page is not necessarily up-to-date.
- ↑ 2.0 2.1 2.2 Extension:ExtensionManager does not require any modification to LocalSettings.php because ExtensionManager includes the extension.
Note that if PHP code caching is in place (e.g. APC, eAccelerator), then to successfully complete the installation a cache flush might be needed. - ↑ Modifications to
LocalSettings.phpis only necessary if not using Extension:ExtensionManager
Reason for the {{ #html}} parser function[edit | edit source]
It is sometimes useful to include, in a secure fashion, a template containing 'raw html' in another page. This enables, for example, the construction of gadgets.
Through the added functionality of parameterization using the {@{parameter_here}@}, the said templates can be customized on a per-page basis without resorting to convoluted escape patterns (e.g. </html>{{{parameter_here}}}<html>) which renders page viewing difficult to humans.
History[edit | edit source]
- added namespace exemption functionality i.e. namespaces where article do not need to be protected in order to use 'html' tags
- use
SecureHTMLclass::enableExemptNamespaces = false;to turn off - use
SecureHTMLclass::exemptNamespaces[] = NS_XYZ;to add namespaces
- use
- enhanced with functionality to 'add' content to the document's 'head' section
- Removed dependency on ExtensionClass
- Enabled for 'StubManager'
- Added 'addExemptNamespaces' function
1.1.0[edit | edit source]
- Added, by default, NS_MEDIAWIKI namespace to the exemptNamespaces
2.0.0[edit | edit source]
- Addition of the parser function
{{ #html}}
2.1.0[edit | edit source]
- Addition of the parser function #shtml (requires Extension:ParserFunctionsHelper)
Todo[edit | edit source]
- Fix for allowing more customization of 'exempt' namespaces even when using StubManager
- Think about renaming the extension to be more distinct from Extension:Secure HTML
See also[edit | edit source]
- Extension:Secured HTML - Similar name, different extension which restricts <html> sections to protected pages/namespaces.
- Extension:Secure HTML
- Extension:Anysite - Embeds a website in a wiki page without touching HTML settings.
- Extension:Secured_PHP
- Extension:SecureWidgets
| Language: | English • 日本語 |
|---|
