Hello,
I was wondering about the security of Widgets (
https://www.mediawiki.org/wiki/Extension:Widgets ) that get
parameters passed to them. Any thoughts?
Are the parameters passed through to the widget cleansed of html/scripts?
If it isn't -- is it possible to easily enforce typing/boundaries on
the parameters?
Generally, speaking, I am looking for a discussion around security & widgets.
A widget I created (below) takes three parameters (width, height,
filename) and feeds those to OpenSeadragon(
https://openseadragon.github.io /
https://en.wikipedia.org/wiki/Seadragon_Software ). It works on a
testing
server.
OpenSeadragon was discussed in brain storming in 2015 -
https://www.mediawiki.org/wiki/Reading/Quarterly_Brainstorming
My interest in this is virtual (microscopic) slides (e.g.
http://openslide.org/demo/ ) which are often
several gigabytes of data each.
Thanks,
Michael
------------------------
Widget code...
Create page: Widget:OpenSeadragon
---------------------------------------------------------------------
<noinclude>__NOTOC__
<!-- Copyright (c) 2016 Michael Bonert -->
<!-- Released under GNU General Public Licence - Version 3; see
http://www.gnu.org/licenses/gpl.html -->
To insert this widget, use the following code:
<nowiki>{{#widget:</nowiki>{{PAGENAME}}<nowiki>
|image=12881.dzi
|width=800
|height=600
}}</nowiki>
</noinclude>
<includeonly><!-- This inserts an OpenSeadragon image -->
<div id="openseadragon1" style="width:
<!--{$width|default:400|escape:'html'}-->px; height:
<!--{$height|default:300|escape:'html'}-->px;"></div>
<script src="../../openseadragon/openseadragon.min.js"></script>
<script type="text/javascript">
var viewer = OpenSeadragon({
id: "openseadragon1",
prefixUrl: "../../openseadragon/images/",
tileSources:
"../../vslide/<!--{$image|escape:'urlpathinfo'}-->"
});
</script>
</includeonly>
-------------------------------------------------