Thanks for all the comments Bawolff and Daniel!

They have confirmed the suspicion I had: using the 'Widget' extension is a way to insert something into Mediawiki... but it puts a hole into the security framework-- especially if you are passing parameters to the Widget.

Broadly speaking, the Widgets seem to be an avenue to fulfill the needs of two different constituencies - (1) a constituency that wants to add things the WikiMedia Foundation (WMF) isn't going to develop 'cause it doesn't fit with their mission, and (2) a constituency to add things that the WMF hasn't prioritized but could be useful to the WMF.

OpenSeadragon I think fits with the later... and it begs the question: How to generate enthusiasm for getting OpenSeadragon securely integrated into MediaWiki?

At a functional level a deep zoom image (DZI) is an image... if implemented it might improve on the current paradigm of a small thumbnail-click for link to WikiCommons-click *again* for full resolution of image; in OpenSeadragon (as implemented with the widget) it is zoom with roller, click for fullscreen with OpenSeadragon.

Once again thanks, Michael

Quoting "Dr. Michael Bonert" michael@librepathology.org:

[Hide Quoted Text] Hello,

I was wondering about the security of Widgets ( https://www.mediawiki.org/wiki/Extension:Widgets ) that get parameters passed to them. Any thoughts?

Are the parameters passed through to the widget cleansed of html/scripts? If it isn't -- is it possible to easily enforce typing/boundaries on the parameters?

Generally, speaking, I am looking for a discussion around security & widgets.

A widget I created (below) takes three parameters (width, height, filename) and feeds those to OpenSeadragon( https://openseadragon.github.io / https://en.wikipedia.org/wiki/Seadragon_Software ). It works on a testing server.

OpenSeadragon was discussed in brain storming in 2015 - https://www.mediawiki.org/wiki/Reading/Quarterly_Brainstorming

My interest in this is virtual (microscopic) slides (e.g. http://openslide.org/demo/ ) which are often several gigabytes of data each.

Thanks, Michael

------------------------ Widget code...

Create page: Widget:OpenSeadragon --------------------------------------------------------------------- <noinclude>__NOTOC__ <!-- Copyright (c) 2016 Michael Bonert --> <!-- Released under GNU General Public Licence - Version 3; see http://www.gnu.org/licenses/gpl.html --> To insert this widget, use the following code:

<nowiki>{{#widget:</nowiki>{{PAGENAME}}<nowiki> |image=12881.dzi |width=800 |height=600 }}</nowiki>

</noinclude> <includeonly><!-- This inserts an OpenSeadragon image --> <div id="openseadragon1" style="width: <!--{$width|default:400|escape:'html'}-->px; height: <!--{$height|default:300|escape:'html'}-->px;"></div> <script src="../../openseadragon/openseadragon.min.js"></script> <script type="text/javascript"> var viewer = OpenSeadragon({ id: "openseadragon1", prefixUrl: "../../openseadragon/images/", tileSources: "../../vslide/<!--{$image|escape:'urlpathinfo'}-->" }); </script> </includeonly> ------------------------------------------------- Delete | Reply | Reply to All | Forward | Redirect | View Thread | Blocklist | Acceptlist | Message Source | Resume | Save as | Print Move | Copy Back to sent-mail <

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Michael Bonert, BASc (Mech Eng), MASc (Biomed Eng), MD, FRCPC Board Member and Founder

Libre Pathology Limited Newfoundland and Labrador

Email: michael@librepathology.org Mobile: 289 776-8722

Web: http://librepathology.org Twitter: http://twitter.com/librepathology +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++