[Mediawiki-l] sanitizing tag extension parameters for js output

Jim Hu jimhu at tamu.edu
Wed May 9 15:27:02 UTC 2012


I just threw together a simple tag extension to embed a twitter live stream search widget from 

	http://twitter.com/about/resources/widgets/widget_search

in a wiki page.  It just takes the following parameters from $input:

title=<title>
subject=<subject>
query=<query>

These get dropped into a <script> that is returned.  It works, but now I'm wondering what I should do to sanitize the values of title, subject, and query.  I don't want to just use  In the js, the values are all inside single quotes. I was thinking that I would use strip_tags combined with substituting single quotes with ' 

	preg_replace('/\W/', '', $t)

would disallow hashtags and @'s, right?

Jim

=====================================
Jim Hu
Professor
Dept. of Biochemistry and Biophysics
2128 TAMU
Texas A&M Univ.
College Station, TX 77843-2128
979-862-4054





More information about the MediaWiki-l mailing list