[Mediawiki-l] enabling javascript in 1.4.4

Rowan Collins rowan.collins at gmail.com
Wed May 25 18:46:58 UTC 2005 

On 25/05/05, Crit Van Tuyl <critster at gmail.com> wrote:
>  What I am trying to do is add website info from Alexa Internet (traffic
> button) for the Template "Company_Info".
>  
>  I do know my users and my intention is to only allow Admins the ability to
> add it.  I did read a little on the extensions today.  Not sure how it works
> yet.  Any guidance or suggestions are welcome.

Only letting Admins add particular content is probably not going to
work with the editting model of MediaWiki. People have thought before
of only allowing such code to operate on protected pages, but this
presents problems like someone tricking an admin into protecting a
page which already has such content, or someone taking advantage of
the template inclusion mechanism to manipulate the content of a
protected page, etc.

Since you have a single specific purpose in mind, I strongly suggest
that you use the extension approach, similar to the charInsert code I
linked to in my last message - it should be far easier anyway. If you
made it set a hook for the tag "alexa", and made the output something
along the lines of "<script
type='yadayada'>getAlexaInfo('$data')</script>" (obviously,
"getAlexaInfo()" would be a JavaScript function defined in a site-wide
file such as wikibits.js or the [[MediaWiki:monobook.js]] page), then
users could simply type "<alexa>Company name</alexa>" anywhere they
liked.

So based on CharInsert, the extension file (which you just "include()"
in your LocalSettings.php file) could look something like the
following:
----

if( !defined( 'MEDIAWIKI' ) ) {
	die();
}

$wgExtensionFunctions[] = 'setupAlexaJS';

function setupAlexaJS() {
    global $wgParser;
    $wgParser->setHook( 'alexa', 'insertAlexaJS' );
}

function insertAlexaJS($data) {
   # you'd want to add some "sanitizing" of the string passed in $data here
   # to make sure users couldn't trick their way into inserting
arbitrary JavaScript
   # i.e. escape or remove anything that's not just plain text in JS's eyes
   return "<script type='yadayada'>getAlexaInfo('$data')</script>";
}


Hope this all makes sense!
-- 
Rowan Collins BSc
[IMSoP]

More information about the MediaWiki-l mailing list