Manual:$wgRawHtml
| HTML: $wgRawHtml | |
|---|---|
| Allow raw, unchecked HTML in <html>...</html> sections. |
|
| Introduced in version: | 1.3.4 |
| Removed in version: | still in use |
| Allowed values: | (boolean) |
| Default value: | false |
Other settings: Alphabetical | By Function
Details[edit | edit source]
When $wgRawHtml = true; the wiki will allow you to insert raw unchecked HTML. However, you must embed your html within the <html>...</html> tags so that mediawiki can differentiate it.
 Warning: |
This is very dangerous on a publicly editable site, because it allows for arbitrary JavaScript code to be inserted, opening the door for session hijacking. Thus, you shouldn't enable it unless you've restricted editing to trusted users only with $wgGroupPermissions (version 1.3.x and 1.4.x can use $wgWhitelistEdit). See Manual:Preventing access for more information on restricting write access. |
Is enabling raw HTML necessary?[edit | edit source]
Some HTML tags are permitted in wikitext, even with $wgRawHtml=false. See meta:Help:HTML in wikitext. The vast majority of fancy formatting seen on Wikimedia sites is achieved using these limited tags (e.g. tables with CSS style tags). If you can make do with these limitations (leave $wgRawHtml=false), your wiki will be more secure.
Also note that the "limited" wiki syntax is actually a deliberate design feature of wikis. It is a compact simplified markup which is easily understood even by non-technical users, easily visualised in diff displays, and discourages stylistic tinkering in favour of getting on with writing useful/interesting text.
Related Extensions[edit | edit source]
There are a number of extensions which promise to allow more HTML flexibility, while improving the security situation. Some require setting $wgRawHtml=true in conjunction with using the extension, while others offer an alternative.
- Extension:Secure HTML – adds "secret key" protection for html sections.
- Extension:AddHTML – allows HTML on protected pages only
- Extension:SecureHTML – allows HTML on protected pages only + namespace controls
- Extension:HTMLets – allows pre-defined HTML snippets with $wgRawHtml=false
- Extension:RawMsg – allows HTML as stored in MediaWiki namespace only (does not work on MediaWiki 1.18+)
- Extension:Widgets – allows HTML and Smarty PHP templates, ostensibly in the form of "widgets", but it can do nearly anything else too.
Another way get custom HTML appearing within your wiki articles is to develop your own tag extension. Do not be tempted to develop an extension which allows arbitrary HTML, otherwise the same serious security issues apply as with setting $wgRawHtml=true.
| Language: | English • 日本語 |
|---|
