Extension:Secured HTML
 |
This extension stores its source code on a wiki page. Please be aware that this code may be unreviewed or maliciously altered. They may contain security holes, outdated interfaces that are no longer compatible etc. Note: No localisation updates are provided for this extension by translatewiki.net. |
 |
WARNING: The code or configuration described here poses a major security risk.
Site administrators: You are advised against using it until this security issue is resolved. Problem: Vulnerable to Cross-site scripting attacks, because it passes user input directly to the browser. This may lead to user accounts being hijacked, among other things. Solution: strictly validate user input and/or apply escaping to all characters that have a special meaning in HTML |
 Release status: beta |
|||
|---|---|---|---|
| Implementation | Tag | ||
| Description | Gives allowed users the ability to add raw HTML to pages. | ||
| Author(s) | Shaiaquatalk | ||
| License | No license specified | ||
| Download | see below | ||
|
|||
|
|||
|
Translate the Secured HTML extension if possible |
|||
| Check usage and version matrix; code metrics | |||
This extension allows users with the coding right to add raw HTML to pages, with the {{#html: }} function.
Contents
Usage[edit | edit source]
- Example 1
In any wiki page, insert the following markup:
{{#html: mysite_iframe}}
A user that belongs to the "coders" group must also create a page in the "HTML" namespace, called HTML:mysite_iframe that contains:
<iframe src="mysite.com">
- Example 2
This extension also allows arguments to the substituted during the inclusion phase:
{{#html: any_iframe|target=mysite.com|scroll=no}}
A user that belongs to the "coders" group must also create a page in the "HTML" namespace, called HTML:any_iframe that contains:
<iframe src="{{target}}" scrolling="{{scroll}}">
Download instructions[edit | edit source]
Please cut and paste the code found below and place it in $IP/extensions/Secured_HTML/Secured_HTML.php and $IP/extensions/Secured_HTML/Secured_HTML.i18n.php. Note: $IP stands for the root directory of your MediaWiki installation, the same directory that holds LocalSettings.php.
Installation[edit | edit source]
To install this extension, add the following to LocalSettings.php:
$wgGroupPermissions['coding']['coding'] = true; require_once("$IP/extensions/Secured_HTML/Secured_HTML.php");
Code[edit | edit source]
Secured_HTML.php:[edit | edit source]
<?php # create namespace define("NS_HTML",122); define("NS_HTML_TALK",123); $wgExtraNamespaces[NS_HTML] = "HTML"; $wgExtraNamespaces[NS_HTML_TALK] = "HTML_talk"; # protect namespace $wgNamespaceProtection[NS_HTML] = Array("coding"); $wgNamespacesWithSubpages[NS_HTML] = true; $wgGroupPermissions['*']['coding'] = false; $wgGroupPermissions['coding']['coding'] = true; $wgAvailableRights[] = 'coding'; $wgExtensionMessagesFiles['Secured_HTML'] = dirname(__FILE__) . '/Secured_HTML.i18n.php'; $wgExtensionFunctions[] = "wfSecuredHTMLExtension"; $wgHooks['LanguageGetMagic'][] = 'efHtml_Magic'; $wgExtensionCredits['parserhook'][] = array( 'name' => 'Secured HTML', 'author' => 'Shaiaqua', 'url' => 'http://www.mediawiki.org/wiki/Extension:Secured_HTML', 'description' => 'Lets you include arbitrary HTML in an authorized and secure way', ); function wfSecuredHTMLExtension() { global $wgParser; $wgParser->setFunctionHook( "html", "renderSecuredHTML" ); wfLoadExtensionMessages('Secured_HTML'); } function efHtml_Magic( &$magicWords, $langCode ) { $magicWords['html'] = array( 0, 'html' ); return true; } function renderSecuredHTML( &$parser, $param1 = '', $param2 = '' ) { $title = Title::makeTitleSafe( NS_HTML, $param1 ); if(!$title->exists())return "[[${param1}]]"; // return standard red link if page doesn't exist if(!$title)return false; $revision = Revision::newFromTitle( $title ); if(!$revision)return false; $wikitext = $revision->getText(); if($param2){ $params = explode('&',$param2); foreach($params as $param) { $param = explode('=',$param); $wikitext = str_replace('{{{'.$param[0].'|}}}',$param[1],$wikitext); $wikitext = str_replace('{{{'.$param[0].'}}}',$param[1],$wikitext); } } $wikitext = preg_replace('/{{{[^}]+\|}}}/','',$wikitext); $output = $wikitext; return array($output, 'noparse' => true, 'isHTML' => true); }
Secured_HTML.i18n.php:[edit | edit source]
<?php $messages = array(); $messages['en'] = array( 'group-coding' => 'Coders', 'group-coding-member' => 'Coder', 'grouppage-coding' => '{{ns:project}}:Coding', 'right-coding' => 'Input raw HTML', );
See also[edit | edit source]
- Extension:SecureHTML - Similar name, different extension which restricts <html> sections to protected pages/namespaces.
- Extension:Secured HTML
- Extension:Secure HTML
- Extension:Anysite Embeds a website in a wiki page without touching HTML settings.
- Extension:Secured_PHP
- Extension:SecureWidgets
