On Sun, Oct 30, 2016 at 10:25 PM, Dr. Michael Bonert michael@librepathology.org wrote:
Thanks for all the comments Bawolff and Daniel!
They have confirmed the suspicion I had: using the 'Widget' extension is a way to insert something into Mediawiki... but it puts a hole into the security framework-- especially if you are passing parameters to the Widget.
Broadly speaking, the Widgets seem to be an avenue to fulfill the needs of two different constituencies - (1) a constituency that wants to add things the WikiMedia Foundation (WMF) isn't going to develop 'cause it doesn't fit with their mission, and (2) a constituency to add things that the WMF hasn't prioritized but could be useful to the WMF.
To be clear, anyone (With the relevant programming knowledge) can make a php MediaWiki extension - you do not have to be associated with the WMF or have it be a priority of the WMF. The only time you need approval of anyone else is if you need something integrated with core (not really relevant in this case) or want it enabled on a WMF website. However Widgets extension is not enabled on WMF websites (And it is pretty unlikely it ever will be), so widgets doesn't help you in that regard.
The audience for widgets seems primarily aimed towards either people who don't know how to make php mediawiki extensions, or for groups that want to allow their users to make custom things without letting them do arbitrary php stuff. This means the barrier for entry to widgets is very low (Which is normally a good thing), but the smarty framework is not really a security-first framework. The result is you have a lot of people who don't know very much about XSS, making widgets in a framework that requires you to know a lot about web security to do it safely. End result is a lot of vulnerable code.
OpenSeadragon I think fits with the later... and it begs the question: How to generate enthusiasm for getting OpenSeadragon securely integrated into MediaWiki?
At a functional level a deep zoom image (DZI) is an image... if implemented it might improve on the current paradigm of a small thumbnail-click for link to WikiCommons-click *again* for full resolution of image; in OpenSeadragon (as implemented with the widget) it is zoom with roller, click for fullscreen with OpenSeadragon.
From a wikimedia perspective - currently some people do link to a tool
labs script as a hacky way to get zooming of large images. e.g. http://tools.wmflabs.org/zoomviewer/index.php?f=File%3AHawaii+lava+field+360... . There's been some talk of doing something better, but as far as I know nobody is really working on it. See for example https://phabricator.wikimedia.org/T138933
-- bawolff