On Mon, 03 Sep 2012 19:57:20 -0700, Sergey Chernyshev
<sergey.chernyshev(a)gmail.com> wrote:
Hi everybody,
Sumana suggested I should post to this list so you guys can help me.
A few years back I saw a need in easy widget creation and too many
extensions that just did that, but were not so well maintained and had a
bunch of XSS holes in them and so on, that's when I came up with idea of
Widgets extension:
http://www.mediawiki.org/wiki/Extension:Widgets
Since individual widgets were just wiki pages, I created a standalone
wiki
where everybody can post their widgets (in special "Widget" namespace)
which will be available to everyone after basic security review (it
integrates with Flagged Revisions if it's installed):
http://www.mediawikiwidgets.org/
There are plenty of widgets there and quite a few people use the
extension
and the widgets on their wikis.
That being said, I moved on to other kind of work and would be happy to
give
MediaWikiWidgets.org back to community instead of slowly killing it
by
inactivity.
It would be great if Wikimedia Foundation could take this project over
and
host it either as standalone site or as part of
mediawiki.org - I'll be
happy to assist in moving the catalog and would probably still be curious
enough to contribute a widget or two once in a while.
Best,
Sergey
I don't really like this idea. I'd prefer it that the Widgets extension
doesn't get any more popular than it already is.
Frankly I wish I could stick an {{XSS alert}} template on that page and be
done with it. But I haven't because the extension is only an enabler
making it trivially easy to add an XSS hole into your wiki.
The premise of the extension is flawed. If someone cannot be trusted to
securely write a widget in PHP there is no way that they can be trusted to
properly escape raw concatenated html.
It basically takes extension code; Something we can put into standard
repositories. Provide full pre-commit security review. Notify users of
security holes. And in the future incorporate systems to tell you when
there's a new version (likely with a security fix) you should upgrade to;
And puts it into raw concatenated html wiki pages -- lacking in extensive
escaping and high-level abstraction -- managed by users who do not
necessarily have any programming skills much less a proper understanding
of security. Somewhere developers naturally pay no attention to. Somewhere
with no alerts about security holes, etc... And suggests that users just
C&P the Widget (potentially with an open XSS vector) into their wiki and
never look back to see if a critical hole has been fixed.
A number of widgets inside that site have critical XSS vectors inside of
them. Every time I go back there and look at random ones it doesn't take
long to find a hole.
I would not be opposed to an extension that makes high-level validation
and construction of simple widgets as extension code easier. Or making it
easier to get into Gerrit so people can submit extension code and we can
properly review it.
But there is absolutely no way that the fundamentals the Widgets extension
are based on will provide the proper environment to create secure widgets.
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://daniel.friesen.name]