-----Original Message-----
From: Philip Hunt [mailto:cabalamat@googlemail.com]
Sent: Friday, October 24, 2008 09:46 AM
To: mediawiki-l(a)lists.wikimedia.org
Subject: [Mediawiki-l] security issues with $wgRawHtml ?
On my MediaWiki site I'm about to set
$wgRawHtml = true;
in order to allow YouTube and other embedded content. However, the
manual says (
http://www.mediawiki.org/wiki/Manual:$wgRawHtml):
Warning: This is very dangerous on a publicly editable site, so you
shouldn't enable it unless you've restricted editing to trusted users
only
When it says "very dangerous", what does this mean? Does it for
example enable an exploit that would let someone hack into the
MediaWiki site? Or does it merely allow Javascript that would allow a
malicious person to harm a user's computer if they view the page?
It means exactly what it says it does - Raw HTML in your Wiki. Think of it in terms of
what can happen without the wiki...
If you have a standard open web server, and you allow the general public to put whatever
HTML page they want on it, what protections are there to stop a very bad HTML page being
made?
Also, in regards to open access to drop in Flash content, remember the plugin itself has
had security issues before.
You might want to have a careful think about what content you are looking to provide, and
what the case is for have it available.
If you enable uploads from an open internet, there is always a chance someone will link
to something bad, often quite innocently from one of those "oh look at this funny
video" links :)
(I'm aware I could use an extension such as
http://www.mediawiki.org/wiki/Extension:VideoFlash but that would
limit me to embedding stuff from just thoase sites it allows.)
You may also want to look at this extension FramedVideo
http://www.mediawiki.org/wiki/Extension:FramedVideo
Cheers,
Dagan McGregor
Landmark Technologies