Last modified: 2011-03-13 18:05:27 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T9524, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 7524 - Allow embedded and other dangerous html code on a page by page basis
Allow embedded and other dangerous html code on a page by page basis
Status: RESOLVED WONTFIX
Product: MediaWiki extensions
Classification: Unclassified
Extensions requests (Other open bugs)
unspecified
All All
: Lowest enhancement with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-08 14:08 UTC by Michael
Modified: 2011-03-13 18:05 UTC (History)
2 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Michael 2006-10-08 14:08:35 UTC 
I would like to have the ability in MediaWiki to be able to allow embedded
javascript and other normally verboten code on certain pages.   I can't just
flat out enable $wgRawHtml because then everyone with editing privileges can add
dangerous code.  We can't make it that only certain users are able to insert it,
because there is no way to check it and subsequent editors could change the code
on the page.  So what we need to do is restrict only certain users the
permission to edit pages with dangerous code.  Protected pages is perfect for this.

We should make a feature for MediaWiki that allows raw HTML on protected pages.
 Of course this could be turned off (and would probably be turned off be
default).  Admins would be able to add embedded HTML and JS features without
every user having the ability to do this.
Comment 1 Michael 2006-12-09 21:35:53 UTC 
I see that someone marked this as an extension request.  This should be just
part of MW.  There should be a config option to allow code on protected pages. 
There should be no need to do this as an extension.
Comment 2 Rob Church 2006-12-09 23:44:23 UTC 
I'm not sure that we want this at all, and probably not in the core code, hence
marking it as an extension request rather than dismissing it outright.
Comment 3 Michael 2006-12-10 15:45:09 UTC 
(In reply to comment #2)
> I'm not sure that we want this at all, and probably not in the core code, hence
> marking it as an extension request rather than dismissing it outright.

We already have $wgRawHtml to allow code from everyone to run.  This is just a
little step above that.  Why would we not want this as a option?  We can have it
disabled by default.  This seems to be something which could be easily
accomplished in the core code.
Comment 4 Rob Church 2006-12-11 00:19:32 UTC 
$wgRawHtml is an "all or nothing" solution; doing this page-by-page stuff raises
the level of complexity, and with that, raises the scope for abuse or
accidentally allowing some dodgy code to raze your database to the ground.

Just because something is simple to add to core code, doesn't mean it should
always be added. Many people don't use the "raw HTML" option anyway, and those
who don't won't really welcome the extra bloat.

I'm willing to be persuaded, though. Create a patch to do this and persuade
another committer to add it, and I'm not going to revert it if it works safely.
Comment 5 Aaron Schulz 2008-09-11 06:33:16 UTC 
Feature bloat, it seems. Also, what about protection that expires or falls off due to deletion? It would be hard to safe-guard against injection.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links