On Tue, 04 Sep 2012 14:14:34 -0700, Jeroen De Dauw jeroendedauw@gmail.com wrote:
Hey,
This is clearly not the case. Because there are XSS vectors all over these
widgets. Developers who understand security do not monitor code strewn about in piles of wiki pages. They in no way have the same level of gatekeeping as extensions.
So instead of writing a widget publicly visible, the random third party admin who barley knows the basics of PHP goes write something that quite possibly is not published anywhere and can have gaping security holes not known to them and remaining so.
Random third party admins running wikis so small they hack together custom code don't have people who understand security reviewing anything for vulnerabilities. Even if it's public it's going to stay vulnerable.
The only way these sites will ever have something secure is if we have a nice widget request area where third party admins can get someone to write a simple widget extension for some service they want to use.
You also mention stuff such as Html::element. Guess what - they might not know about it. I have looked at A LOT of extensions, and I can assure you that you have a rather rosy view on the subject.
We just have bad documentation on the subject. A proper PHP based Widget extension would provide some apis even nicer than our current Html. Easy to use validation. Boilerplate cleanup. And would naturally come with good documentation that encourages people to use the high-level style of code. Well, not just encourages... I'd say it wouldn't even mention the fact you can concatenate strings of html.
Cheers
-- Jeroen De Dauw http://www.bn2vs.com Don't panic. Don't be evil. --