Hi everybody,
Sumana suggested I should post to this list so you guys can help me.
A few years back I saw a need in easy widget creation and too many extensions that just did that, but were not so well maintained and had a bunch of XSS holes in them and so on, that's when I came up with idea of Widgets extension: http://www.mediawiki.org/wiki/Extension:Widgets
Since individual widgets were just wiki pages, I created a standalone wiki where everybody can post their widgets (in special "Widget" namespace) which will be available to everyone after basic security review (it integrates with Flagged Revisions if it's installed): http://www.mediawikiwidgets.org/
There are plenty of widgets there and quite a few people use the extension and the widgets on their wikis.
That being said, I moved on to other kind of work and would be happy to give MediaWikiWidgets.org back to community instead of slowly killing it by inactivity. It would be great if Wikimedia Foundation could take this project over and host it either as standalone site or as part of mediawiki.org - I'll be happy to assist in moving the catalog and would probably still be curious enough to contribute a widget or two once in a while.
Best,
Sergey
On Mon, 03 Sep 2012 19:57:20 -0700, Sergey Chernyshev sergey.chernyshev@gmail.com wrote:
Hi everybody,
Sumana suggested I should post to this list so you guys can help me.
A few years back I saw a need in easy widget creation and too many extensions that just did that, but were not so well maintained and had a bunch of XSS holes in them and so on, that's when I came up with idea of Widgets extension: http://www.mediawiki.org/wiki/Extension:Widgets
Since individual widgets were just wiki pages, I created a standalone wiki where everybody can post their widgets (in special "Widget" namespace) which will be available to everyone after basic security review (it integrates with Flagged Revisions if it's installed): http://www.mediawikiwidgets.org/
There are plenty of widgets there and quite a few people use the extension and the widgets on their wikis.
That being said, I moved on to other kind of work and would be happy to give MediaWikiWidgets.org back to community instead of slowly killing it by inactivity. It would be great if Wikimedia Foundation could take this project over and host it either as standalone site or as part of mediawiki.org - I'll be happy to assist in moving the catalog and would probably still be curious enough to contribute a widget or two once in a while.
Best,
Sergey
I don't really like this idea. I'd prefer it that the Widgets extension doesn't get any more popular than it already is.
Frankly I wish I could stick an {{XSS alert}} template on that page and be done with it. But I haven't because the extension is only an enabler making it trivially easy to add an XSS hole into your wiki.
The premise of the extension is flawed. If someone cannot be trusted to securely write a widget in PHP there is no way that they can be trusted to properly escape raw concatenated html. It basically takes extension code; Something we can put into standard repositories. Provide full pre-commit security review. Notify users of security holes. And in the future incorporate systems to tell you when there's a new version (likely with a security fix) you should upgrade to; And puts it into raw concatenated html wiki pages -- lacking in extensive escaping and high-level abstraction -- managed by users who do not necessarily have any programming skills much less a proper understanding of security. Somewhere developers naturally pay no attention to. Somewhere with no alerts about security holes, etc... And suggests that users just C&P the Widget (potentially with an open XSS vector) into their wiki and never look back to see if a critical hole has been fixed.
A number of widgets inside that site have critical XSS vectors inside of them. Every time I go back there and look at random ones it doesn't take long to find a hole.
I would not be opposed to an extension that makes high-level validation and construction of simple widgets as extension code easier. Or making it easier to get into Gerrit so people can submit extension code and we can properly review it. But there is absolutely no way that the fundamentals the Widgets extension are based on will provide the proper environment to create secure widgets.
wikitech-l@lists.wikimedia.org