On Sat, Oct 29, 2016 at 2:50 PM, Dr. Michael Bonert michael@librepathology.org wrote:
Hello,
I was wondering about the security of Widgets ( https://www.mediawiki.org/wiki/Extension:Widgets ) that get parameters passed to them. Any thoughts?
Are the parameters passed through to the widget cleansed of html/scripts? If it isn't -- is it possible to easily enforce typing/boundaries on the parameters?
Generally, speaking, I am looking for a discussion around security & widgets.
A widget I created (below) takes three parameters (width, height, filename) and feeds those to OpenSeadragon( https://openseadragon.github.io / https://en.wikipedia.org/wiki/Seadragon_Software ). It works on a testing server.
OpenSeadragon was discussed in brain storming in 2015 - https://www.mediawiki.org/wiki/Reading/Quarterly_Brainstorming
My interest in this is virtual (microscopic) slides (e.g. http://openslide.org/demo/ ) which are often several gigabytes of data each.
Thanks, Michael
Widget code...
Create page: Widget:OpenSeadragon
<noinclude>__NOTOC__
<!-- Copyright (c) 2016 Michael Bonert -->
<!-- Released under GNU General Public Licence - Version 3; see http://www.gnu.org/licenses/gpl.html -->
To insert this widget, use the following code:
<nowiki>{{#widget:</nowiki>{{PAGENAME}}<nowiki> |image=12881.dzi |width=800 |height=600 }}</nowiki>
</noinclude> <includeonly><!-- This inserts an OpenSeadragon image --> <div id="openseadragon1" style="width: <!--{$width|default:400|escape:'html'}-->px; height: <!--{$height|default:300|escape:'html'}-->px;"></div> <script src="../../openseadragon/openseadragon.min.js"></script> <script type="text/javascript"> var viewer = OpenSeadragon({ id: "openseadragon1", prefixUrl: "../../openseadragon/images/", tileSources: "../../vslide/<!--{$image|escape:'urlpathinfo'}-->" }); </script> </includeonly> -------------------------------------------------
[Sorry for so much spam to list]
p.p.s. I guess I should actually answer your question. I'm not really familiar with smarty/widgets best practices so there might be a better way, but one possible solution would be code like <!--{$width|default:400|regex_replace:"/\D/":""} -->. In theory anyways (I based that on the docs, have not tested, could totally be misunderstanding things and be totally wrong).
-- bawolff