On Sat, Oct 29, 2016 at 2:50 PM, Dr. Michael Bonert
<[email protected]> wrote:
> Hello,
>
> I was wondering about the security of Widgets (
> https://www.mediawiki.org/wiki/Extension:Widgets ) that get parameters
> passed to them. Any thoughts?
>
> Are the parameters passed through to the widget cleansed of html/scripts?
> If it isn't -- is it possible to easily enforce typing/boundaries on the
> parameters?
>
> Generally, speaking, I am looking for a discussion around security &
> widgets.
>
> A widget I created (below) takes three parameters (width, height, filename)
> and feeds those to OpenSeadragon( https://openseadragon.github.io /
> https://en.wikipedia.org/wiki/Seadragon_Software ). It works on a testing
> server.
>
> OpenSeadragon was discussed in brain storming in 2015 -
> https://www.mediawiki.org/wiki/Reading/Quarterly_Brainstorming
>
> My interest in this is virtual (microscopic) slides (e.g.
> http://openslide.org/demo/ ) which are often
> several gigabytes of data each.
>
> Thanks,
> Michael
>
> ------------------------
> Widget code...
>
> Create page: Widget:OpenSeadragon
> ---------------------------------------------------------------------
> <noinclude>__NOTOC__
> <!-- Copyright (c) 2016 Michael Bonert -->
> <!-- Released under GNU General Public Licence - Version 3; see
> http://www.gnu.org/licenses/gpl.html -->
> To insert this widget, use the following code:
>
> <nowiki>{{#widget:</nowiki>{{PAGENAME}}<nowiki>
> |image=12881.dzi
> |width=800
> |height=600
> }}</nowiki>
>
>
> </noinclude>
> <includeonly><!-- This inserts an OpenSeadragon image -->
> <div id="openseadragon1" style="width:
> <!--{$width|default:400|escape:'html'}-->px; height:
> <!--{$height|default:300|escape:'html'}-->px;"></div>
> <script src="../../openseadragon/openseadragon.min.js"></script>
> <script type="text/javascript">
> var viewer = OpenSeadragon({
> id: "openseadragon1",
> prefixUrl: "../../openseadragon/images/",
> tileSources: "../../vslide/<!--{$image|escape:'urlpathinfo'}-->"
> });
> </script>
> </includeonly>
> -------------------------------------------------
>
>
>
[Sorry for so much spam to list]
p.p.s. I guess I should actually answer your question. I'm not really
familiar with smarty/widgets best practices so there might be a better
way, but one possible solution would be code like
<!--{$width|default:400|regex_replace:"/\D/":""} -->. In theory
anyways (I based that on the docs, have not tested, could totally be
misunderstanding things and be totally wrong).
--
bawolff
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
