Brion Vibber wrote:
On Dec 21, 2004, at 6:20 AM, Muke Tever wrote:
Now, you help me. :p It used to be that a few wiktionaries edited [[MediaWiki:Copyrightwarning]] to allow users to click and insert necessary special characters... but it seems it is no longer possible to insert the script (/style/wikibits.js) to allow this. Is there a workaround, or a better way to do it now, or will it just have to revert to a copy-and-paste plain-text list?
Arbitrary HTML and JavaScript in the MediaWiki: messages is dangerous, and is something that's being phased out. There are a couple reasons for this.
The first is security: on our larger sites we have literally *hundreds* of sysops with permissions to edit these messages. With those numbers, it's hard to assign sufficient 'trust'; even if we believe every one of them to be upstanding, well-meaning individuals the likelihood of a compromised account increases with every new sysop. If a broken-into (or malicious) sysop account can be used to add arbitrary HTML or JavaScript code, it could be used to exploit security vulnerabilities in web browsers or more simply attack and subvert the wiki accounts of other users. Such an attack might be found and reverted immediately, or it might attack dozens or hundreds -- or thousands -- of visitors before being stopped.
The second is robustness: accidentally or maliciously placed invalid HTML could break the site. As the web moves towards more XML (which is very strict about proper markup syntax) it can become difficult to recover from such a breakage without manual intervention.
There's still a lot of places with raw HTML in messages, so it's an ongoing process. Text fragments are being moved to either plaintext or wikitext, depending on their use and purpose. (Paragraph-level blocks such as the copyright warning are generally wikitext.)
It would probably be worthwhile to write up the special character inserter as a MediaWiki extension -- then it could be inserted into the wikitext message in a safe, secure way.
-- brion vibber (brion @ pobox.com)
Hi Brion,
I understand the security implications and I must admit I was already somewhat surprised that it was possible to add javascript to these pages. I have been creating a very comprehensive template for allowing to insert all the accented characters I was able to cram out of my Mandrake Linux Unicode keyboard. It wasn't totally ready yet and it was good to be able to develop it in real time. I will forward it to you tonight. I don't know how to create MediaWiki extensions. Is there a place where this is described. I can program a little, so I should be able to do it with just a few pointers.
Polyglot