A couple quick things which I noticed in CategoryTree yesterday and want to make sure people are aware of in general:

First, if you use any global variables, set them first! If a site has PHP's register_globals option on (not recommended, but sometimes on for compatibility) it's possible to set arbitrary global variables to string or array-of-string values from any HTTP request.

So something like this is unsafe: if ( !isset( $wgCategoryTreeMaxChildren ) ) $wgCategoryTreeMaxChildren = 200;

since it allows the other end of the HTTP connection to pass something like &wgCategoryTreeMaxChildren=1000000 and flood the server with some request. Other settings might be more dangerous, such as a command line or SQL fragment.

Instead, just set it directly: $wgCategoryTreeMaxChildren = 200;

The site admin can customize the setting in LocalSettings.php after the inclusion of the extension file.

Second, beware of CSS. There are various exciting ways you can abuse it, including the use of inline JavaScript expressions in Internet Explorer. (It may also be possible to attach XBL/XUL stuff in Firefox.) This opens up scripting vulnerabilities and could be used to steal cookies or take over a login session.

The Sanitizer::validateTagAttributes() function is available to whitelist HTML attributes for a given tag and clean up blacklisted CSS bits. To let user-supplied CSS style attributes through on your tag, you should run it through something like this:

$divAttribs = Sanitizer::validateTagAttributes( $argv, 'div' );

You can then either pick out just the style attribute (if present) or pass through all the attributes that MediaWiki would have allowed on a <div> in wikitext.

-- brion vibber (brion @ pobox.com)