[Mediawiki-l] security issues with $wgRawHtml ?

Philip Hunt cabalamat at googlemail.com
Thu Oct 23 20:46:39 UTC 2008


On my MediaWiki site I'm about to set

   $wgRawHtml = true;

in order to allow YouTube and other embedded content. However, the
manual says (http://www.mediawiki.org/wiki/Manual:$wgRawHtml):

   Warning: This is very dangerous on a publicly editable site, so you
shouldn't enable it unless you've restricted editing to trusted users
only

When it says "very dangerous", what does this mean? Does it for
example enable an exploit that would let someone hack into the
MediaWiki site? Or does it merely allow Javascript that would allow a
malicious person to harm a user's computer if they view the page?

(I'm aware I could use an extension such as
http://www.mediawiki.org/wiki/Extension:VideoFlash but that would
limit me to embedding stuff from just thoase sites it allows.)

-- 
Philip Hunt, <cabalamat at googlemail.com>
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html



More information about the MediaWiki-l mailing list