Last modified: 2011-03-13 18:05:45 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 1561 - Include HTML template in a wiki page
Include HTML template in a wiki page
Status: RESOLVED WONTFIX
Product: MediaWiki
Classification: Unclassified
Templates (Other open bugs)
unspecified
All All
: Lowest enhancement with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-19 12:02 UTC by Alan Barrett
Modified: 2011-03-13 18:05 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Alan Barrett 2005-02-19 12:02:24 UTC
For the www.wikipedia.org portal, we want to include a search form in 
the middle of a page.  See [[meta:Www.wikipedia.org portal/Catherine]] 
for a non-functional mockup.

Please add a way to include a template as HTML rather than as 
wikitext.  For example, {{msghtml:name of template}}, by analogy with 
{{mshnw:name of template}}.  For safety, it should not work unless 
both the template itself and the page that uses {{msghtml:}} are 
protected.  However, it should work if a non-protected page includes a 
protected notmal template, which in turn includes a protected msghtml 
template.

If the above is implemented, then we will be able to:
1. create a protected HTML template "template:search box html" 
containing raw HTML code to display a search box.
2. create a protected normal template "template:search box", which 
uses "{{msghtml:search box html}}".
3. on any protected or unprotected page, use "{{search box}}" to get a 
search box.
Comment 1 Rowan Collins [IMSoP] 2005-02-19 15:55:21 UTC
(In reply to comment #0)
> However, it should work if a non-protected page includes a 
> protected notmal template, which in turn includes a protected msghtml 
> template.

I don't get the purpose of the intermediate step here: if Template:bar includes
nothing but {{msghtml:foo}}, and I use {{bar}}, how is that different (and,
specifically, safer) than me just using {{msghtml:foo}} directly?

I also think doing this generically would be rather difficult, whereas the
www.wikipedia.org portal (as I understand it) already involves magic pages which
are interpretted as HTML rather than wikicode, so that special case code could
probably be extended to have a few extra levels of abstraction if necessary. :)
[But then, I *don't* know how the current setup works, so I probably shouldn't
interfere.]
Comment 2 Alan Barrett 2005-02-19 17:57:36 UTC
(In reply to comment #1)
> I don't get the purpose of the intermediate step here: if Template:bar
> includes nothing but {{msghtml:foo}}, and I use {{bar}}, how is that
> different (and, specifically, safer) than me just using {{msghtml:foo}}
> directly?

Postulate a protected page {{baz}}, which is not written in HTML, but which 
would cause bad effects if treated as if it were written in HTML.  Now let an 
untrusted user says {{msghtml:baz}} on an unprotected page.  Then the bad 
effects happen.  If non-protected pages were not allowed to use {{msghtml:}}, 
this problem would not arise.

> I also think doing this generically would be rather difficult, whereas the
> www.wikipedia.org portal (as I understand it) already involves magic pages
> which are interpretted as HTML rather than wikicode, so that special case
> code could probably be extended to have a few extra levels of abstraction
> if necessary. :)

The special case code currently has exactly two levels.  A "portal" page is 
written in wikicode, and a "template" page is written in HTML.  The HTML 
template is allowed to contain a magic "$1" which means "insert HTML equivalent 
of portal page here.  Something in the apache config invokes extract2.php to mix 
everything together.
Comment 3 Alan Barrett 2005-02-19 18:50:09 UTC
(In reply to comment #1)
> I also think doing this generically would be rather difficult

If it's difficult to do generically, would it be feasible to have a few 
predefined HTML templates?  For example, could "Mediawiki:Search form for www.
wikipedia.org portal" be treated as a special case (via some sort of list of 
special cases in the software config)?  Even better, could any page that matches 
the pattern "Mediawiki:HTML template/*" be treated as HTML?  If so, then one 
could have a protected page like "Mediawiki:HTML template/Search form for www.
wikipedia.org portal" with the right HTML code, and just say "{{Mediawiki:HTML 
template/Search form for www.wikipedia.org portal}}" in the wikicode for the 
portal.

Having well-known names for all HTML templates would remove the need to prohibit 
non-protected pages from using HTML templates, because it would be impossible to 
cause a non-HTML template to be treated as an HTML template.

Even if the list of HTML templates did not have any scope for wildcard patterns, 
it would be good enough to use.

Comment 4 Alan Barrett 2005-02-25 19:06:03 UTC
How about using the extension mechanism ([[meta:
Write_your_own_MediaWiki_extension]]) to define a <rawhtml>...</
rawhtml> extension?  Can an extension figure out whether it is be
ing invoked on a protected page?  I imagine something like

function renderRawhtml($input) {
   if ($page_is_protected) {
       return $input;
   } else {
       return treat_like_nowiki_text($input);
   }
}
Comment 5 Alan Barrett 2005-02-25 19:24:07 UTC
Or what if Sanitizer::removeHTMLtags() in phase3/includes/Sanitizer.php just 
allowed a few extra things (like <form>, <input>, <button>) on protected pages, 
perhaps under control of yet another site config option?

Or what if the definition of $wgRawHtml was changed to allow it to work on 
protected pages even if $wgWhitelistEdit was false (see strip() in phase3/
includes/Parser.php)?
Comment 6 Alan Barrett 2005-02-25 19:57:13 UTC
I am still trawling the source code for ideas.

Would it work to just put some HTML code in a protected page named "Mediawiki:
searchbox", and use "{{int:searchbox}}" from any other page?  The code in 
Parser.php that handles MAG_INT calls wfMsgReal(), which seems to look up the 
message in the mediawiki namespace and treat it as raw html.  But I am not sure 
whether it gets sanitised later (which would break it).
Comment 7 Brion Vibber 2005-02-25 20:00:21 UTC
As has been explained several times, linking HTML execution to page protection is extremely unsafe.

A page's being protected does *not* mean it was written and vetted by a trusted administrator; many 
protected pages are involved in edit wars for instance, and contain whatever someone left them as. 
Template inclusions from there make it a huge security risk.

I'm not sure what this has to do with the magic portal page. If a special case is required, a parser extension 
is my strong recommendation.
Comment 8 Alan Barrett 2005-02-25 20:24:50 UTC
(In reply to comment #7)
> A page's being protected does *not* mean it was written and vetted by a
> trusted administrator;

Good point.  But does that also apply to text on pages in the mediawiki 
namespace?  (Is it possible to have a page in the mediawiki namespace that was 
not written by a trusted administrator?)

> a parser extension is my strong recommendation.

I'd prefer it if somebody who was familiar with the code did the work, but I am 
willing to look into doing it myself.  Do you have any suggestions?
Comment 9 Brion Vibber 2005-04-22 12:40:36 UTC
Reassigned to enhancement severity, as this is a feature request.
Comment 10 Alan Barrett 2005-09-27 19:28:48 UTC
Could the new <inputbox> extension be enhanced to 
support what is wanted at www.wikipedia.org?  
Something like <inputbox>type=search</inputbox>, 
but with more parameters (to control layout and the 
presence of a language selection fiels).
Comment 11 Chad H. 2009-04-22 15:50:58 UTC
Marking WONTFIX. The HTML that is already allowed in pages/templates/etc can be transcluded as needed. No additional HTML should be allowed (directly or indirectly) simply because it's been protected (per comment #7).

The www.wikipedia.org template works just fine on meta, and doesn't need this anyway.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links