[MediaWiki-l] Security of widgets? Way to limit parameters? OpenSeadragon

Dr. Michael Bonert michael at librepathology.org
Sun Oct 30 22:25:13 UTC 2016


  Thanks for all the comments Bawolff and Daniel!

They have confirmed the suspicion I had: using the 'Widget' extension  
is a way to insert something into Mediawiki... but it puts a hole into  
the security framework-- especially if you are passing parameters to  
the Widget.

Broadly speaking, the Widgets seem to be an avenue to fulfill the  
needs of two different constituencies - (1) a constituency that wants  
to add things the WikiMedia Foundation (WMF) isn't going to develop  
'cause it doesn't fit with their mission, and (2) a constituency to  
add things that the WMF hasn't prioritized but could be useful to the  
WMF.

OpenSeadragon I think fits with the later... and it begs the question:  
How to generate enthusiasm for getting OpenSeadragon securely  
integrated into MediaWiki?

At a functional level a deep zoom image (DZI) is an image... if  
implemented it might improve on the current paradigm of a small  
thumbnail-click for link to WikiCommons-click *again* for full  
resolution of image; in OpenSeadragon
(as implemented with the widget) it is zoom with roller, click for
fullscreen with OpenSeadragon.

Once again thanks,
Michael

Quoting "Dr. Michael Bonert" <michael at librepathology.org>:

[Hide Quoted Text]
Hello,

I was wondering about the security of Widgets  (
https://www.mediawiki.org/wiki/Extension:Widgets )  that get parameters
passed to them. Any thoughts?

Are the parameters passed through to the widget cleansed of html/scripts?
If it isn't -- is it possible to easily enforce typing/boundaries on
the parameters?

Generally, speaking, I am looking for a discussion around security & widgets.

A widget I created (below) takes three parameters (width, height,
filename) and feeds those to OpenSeadragon(
https://openseadragon.github.io /
https://en.wikipedia.org/wiki/Seadragon_Software ). It works on a
testing
server.

OpenSeadragon was discussed in brain storming in 2015 -
https://www.mediawiki.org/wiki/Reading/Quarterly_Brainstorming

My interest in this is virtual (microscopic) slides (e.g.
http://openslide.org/demo/ ) which are often
several gigabytes of data each.

Thanks,
Michael

------------------------
Widget code...

Create page: Widget:OpenSeadragon
---------------------------------------------------------------------
<noinclude>__NOTOC__
<!-- Copyright (c) 2016 Michael Bonert -->
<!-- Released under GNU General Public Licence - Version 3; see
http://www.gnu.org/licenses/gpl.html -->
To insert this widget, use the following code:

<nowiki>{{#widget:</nowiki>{{PAGENAME}}<nowiki>
|image=12881.dzi
|width=800
|height=600
}}</nowiki>


</noinclude>
<includeonly><!-- This inserts an OpenSeadragon image -->
<div id="openseadragon1" style="width:
<!--{$width|default:400|escape:'html'}-->px; height:
<!--{$height|default:300|escape:'html'}-->px;"></div>
<script src="../../openseadragon/openseadragon.min.js"></script>
<script type="text/javascript">
     var viewer = OpenSeadragon({
         id: "openseadragon1",
         prefixUrl: "../../openseadragon/images/",
         tileSources: "../../vslide/<!--{$image|escape:'urlpathinfo'}-->"
     });
</script>
</includeonly>
-------------------------------------------------
Delete | Reply | Reply to All | Forward | Redirect | View Thread |  
Blocklist | Acceptlist | Message Source | Resume | Save as | Print
	Move | Copy
	Back to sent-mail   <  
 >+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  Michael Bonert, BASc (Mech Eng), MASc (Biomed Eng), MD, FRCPC
  Board Member and Founder

  Libre Pathology Limited
  Newfoundland and Labrador

  Email: michael at librepathology.org
  Mobile: 289 776-8722

  Web: http://librepathology.org
  Twitter: http://twitter.com/librepathology
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++




More information about the MediaWiki-l mailing list