If you only have "trusted" editors, the
following is a raw HTML
extension, disguised as a QuickTime extension. But it is certainly
unsafe if you allow untrusted editors.
A few comments about the proposed solution:
1) Although the extension intends to return its inner text directly back,
this isn't really "raw HTML" since it will still be whitespace processed by
the Parer, and (possibly) jacked up by Tidy. (This is something to
generally watch out for) - see bug 8997 [
http://bugzilla.wikimedia.org/show_bug.cgi?id=8997]
2) This is really more powerful than the use-case requires and forces the
editor to do the work of writing out the full tag and also wrap it in
<QuickTime> tags (more typing).
I was going to propose adding the embed attributes to the "attribute
whitelist", but upon further inspection of Sanitizer.php, I can't find a
global that provides this mechanism :(
I think the best bet is to create a parser hook which does the following:
1) Hooks 'embed' (or 'QuickTime' - doesn't really matter), so the tags
are
just <embed ... /> in the wiki code
2) Strips the attribute list of anything not needed
3) Returns "<embed " followed by the remaining, unstripped, attributes which
were passed in.
Note that this still doesn't solve the "it's not raw HTML" problem, but
it
reduces the amount of typing necessary and makes it less likely that typos
go through to the browser.
Just my USD 0.02
-- Jim R. Wilson (jimbojw)
On 2/23/07, Jan Steinman <Jan(a)bytesmiths.com> wrote:
>
> > From: "David Gerard" <dgerard(a)gmail.com>
> >
> > I know quite a few people whose personal website runs on MediaWiki
> > just 'cos they can. They're the only editor and it's just a handy
way
> > of putting up nicely-formatted pages and resources without having to
> > write HTML or work too hard.
>
If you only have "trusted" editors, the
following is a raw HTML
extension, disguised as a QuickTime extension. But it is certainly
unsafe if you allow untrusted editors.
>
> <?php
> # QuickTime extension
> # To use, include this file from your LocalSettings.php
> # To configure, set members of $wgquicktimeSettings after the inclusion
>
> class quicktimeSettings {
> };
> $wgquicktimeSettings = new quicktimeSettings;
>
> $wgExtensionFunctions[] = 'wfQuickTimeExtension';
>
> function wfQuickTimeExtension() {
> global $wgParser;
> $wgParser->setHook('QuickTime', 'renderQuickTime');
> }
>
> function renderQuickTime($quickTimeSrc, $style='') {
> return $quickTimeSrc;
> }
> ?>
>
>
> :::: This phase we're in of exponential growth is about over. We now
> have an exponential growth culture that at the present time doesn't
> even know how to cope with a state of non-growth. -- M. King Hubbert,
> 1976 ::::
> :::: Jan Steinman <http://www.EcoReality.org> ::::
>
>
>
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l(a)lists.wikimedia.org
>
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>