Last modified: 2011-03-13 18:05:27 UTC
I would like to have the ability in MediaWiki to be able to allow embedded
flat out enable $wgRawHtml because then everyone with editing privileges can add
dangerous code. We can't make it that only certain users are able to insert it,
because there is no way to check it and subsequent editors could change the code
on the page. So what we need to do is restrict only certain users the
permission to edit pages with dangerous code. Protected pages is perfect for this.
We should make a feature for MediaWiki that allows raw HTML on protected pages.
Of course this could be turned off (and would probably be turned off be
default). Admins would be able to add embedded HTML and JS features without
every user having the ability to do this.
I see that someone marked this as an extension request. This should be just
part of MW. There should be a config option to allow code on protected pages.
There should be no need to do this as an extension.
I'm not sure that we want this at all, and probably not in the core code, hence
marking it as an extension request rather than dismissing it outright.
(In reply to comment #2)
> I'm not sure that we want this at all, and probably not in the core code, hence
> marking it as an extension request rather than dismissing it outright.
We already have $wgRawHtml to allow code from everyone to run. This is just a
little step above that. Why would we not want this as a option? We can have it
disabled by default. This seems to be something which could be easily
accomplished in the core code.
$wgRawHtml is an "all or nothing" solution; doing this page-by-page stuff raises
the level of complexity, and with that, raises the scope for abuse or
accidentally allowing some dodgy code to raze your database to the ground.
Just because something is simple to add to core code, doesn't mean it should
always be added. Many people don't use the "raw HTML" option anyway, and those
who don't won't really welcome the extra bloat.
I'm willing to be persuaded, though. Create a patch to do this and persuade
another committer to add it, and I'm not going to revert it if it works safely.
Feature bloat, it seems. Also, what about protection that expires or falls off due to deletion? It would be hard to safe-guard against injection.