[Mediawiki-l] security issues with $wgRawHtml ?

[dmcgregor at landmarktech.net]

>-----Original Message-----
>From: Philip Hunt [mailto:cabalamat at googlemail.com]
>Sent: Friday, October 24, 2008 09:46 AM
>To: mediawiki-l at lists.wikimedia.org
>Subject: [Mediawiki-l] security issues with $wgRawHtml ?
>
>On my MediaWiki site I'm about to set
>
>   $wgRawHtml = true;
>
>in order to allow YouTube and other embedded content. However, the
>manual says (http://www.mediawiki.org/wiki/Manual:$wgRawHtml):
>
>   Warning: This is very dangerous on a publicly editable site, so you
>shouldn't enable it unless you've restricted editing to trusted users
>only
>
>When it says "very dangerous", what does this mean? Does it for
>example enable an exploit that would let someone hack into the
>MediaWiki site? Or does it merely allow Javascript that would allow a
>malicious person to harm a user's computer if they view the page?

 It means exactly what it says it does - Raw HTML in your Wiki. Think of it in terms of what can happen without the wiki...

 If you have a standard open web server, and you allow the general public to put whatever HTML page they want on it, what protections are there to stop a very bad HTML page being made?

 Also, in regards to open access to drop in Flash content, remember the plugin itself has had security issues before.

 You might want to have a careful think about what content you are looking to provide, and what the case is for have it available. 
 If you enable uploads from an open internet, there is always a chance someone will link to something bad, often quite innocently from one of those "oh look at this funny video" links :)

>(I'm aware I could use an extension such as
>http://www.mediawiki.org/wiki/Extension:VideoFlash but that would
>limit me to embedding stuff from just thoase sites it allows.)

 You may also want to look at this extension FramedVideo
 http://www.mediawiki.org/wiki/Extension:FramedVideo

 Cheers,
 Dagan McGregor
 Landmark Technologies