From: Philip Hunt [mailto:email@example.com]
Sent: Friday, October 24, 2008 09:46 AM
Subject: [Mediawiki-l] security issues with $wgRawHtml ?
On my MediaWiki site I'm about to set
$wgRawHtml = true;
in order to allow YouTube and other embedded content. However, the
manual says (http://www.mediawiki.org/wiki/Manual:$wgRawHtml
Warning: This is very dangerous on a publicly editable site, so you
shouldn't enable it unless you've restricted editing to trusted users
When it says "very dangerous", what does this mean? Does it for
example enable an exploit that would let someone hack into the
malicious person to harm a user's computer if they view the page?
It means exactly what it says it does - Raw HTML in your Wiki. Think of it in terms of
what can happen without the wiki...
If you have a standard open web server, and you allow the general public to put whatever
HTML page they want on it, what protections are there to stop a very bad HTML page being
Also, in regards to open access to drop in Flash content, remember the plugin itself has
had security issues before.
You might want to have a careful think about what content you are looking to provide, and
what the case is for have it available.
If you enable uploads from an open internet, there is always a chance someone will link
to something bad, often quite innocently from one of those "oh look at this funny
video" links :)
(I'm aware I could use an extension such as
but that would
limit me to embedding stuff from just thoase sites it allows.)
You may also want to look at this extension FramedVideo