On Sun, Oct 30, 2016 at 10:25 PM, Dr. Michael Bonert
<michael(a)librepathology.org> wrote:
Thanks for all the comments Bawolff and Daniel!
They have confirmed the suspicion I had: using the 'Widget' extension is a
way to insert something into Mediawiki... but it puts a hole into the
security framework-- especially if you are passing parameters to the Widget.
Broadly speaking, the Widgets seem to be an avenue to fulfill the needs of
two different constituencies - (1) a constituency that wants to add things
the WikiMedia Foundation (WMF) isn't going to develop 'cause it doesn't fit
with their mission, and (2) a constituency to add things that the WMF hasn't
prioritized but could be useful to the WMF.
To be clear, anyone (With the relevant programming knowledge) can make
a php MediaWiki extension - you do not have to be associated with the
WMF or have it be a priority of the WMF. The only time you need
approval of anyone else is if you need something integrated with core
(not really relevant in this case) or want it enabled on a WMF
website. However Widgets extension is not enabled on WMF websites (And
it is pretty unlikely it ever will be), so widgets doesn't help you in
that regard.
The audience for widgets seems primarily aimed towards either people
who don't know how to make php mediawiki extensions, or for groups
that want to allow their users to make custom things without letting
them do arbitrary php stuff. This means the barrier for entry to
widgets is very low (Which is normally a good thing), but the smarty
framework is not really a security-first framework. The result is you
have a lot of people who don't know very much about XSS, making
widgets in a framework that requires you to know a lot about web
security to do it safely. End result is a lot of vulnerable code.
OpenSeadragon I think fits with the later... and it begs the question: How
to generate enthusiasm for getting OpenSeadragon securely integrated into
MediaWiki?
At a functional level a deep zoom image (DZI) is an image... if implemented
it might improve on the current paradigm of a small thumbnail-click for link
to WikiCommons-click *again* for full resolution of image; in OpenSeadragon
(as implemented with the widget) it is zoom with roller, click for
fullscreen with OpenSeadragon.
From a wikimedia perspective - currently some people do
link to a tool
labs script as a hacky way to get zooming of large images. e.g.
http://tools.wmflabs.org/zoomviewer/index.php?f=File%3AHawaii+lava+field+36…
. There's been some talk of doing something better, but as far as I
know nobody is really working on it. See for example
https://phabricator.wikimedia.org/T138933
--
bawolff