[Wiktionary-l] Doing things we used to be able to do, in the new upgrade
cookfire
cookfire at softhome.net
Wed Dec 22 07:04:09 UTC 2004
Brion Vibber wrote:
> On Dec 21, 2004, at 6:20 AM, Muke Tever wrote:
>
>> Now, you help me. :p It used to be that a few wiktionaries edited
>> [[MediaWiki:Copyrightwarning]] to allow users to click and insert
>> necessary special characters... but it seems it is no longer possible
>> to insert the script (/style/wikibits.js) to allow this. Is there a
>> workaround, or a better way to do it now, or will it just have to
>> revert to a copy-and-paste plain-text list?
>
>
> Arbitrary HTML and JavaScript in the MediaWiki: messages is dangerous,
> and is something that's being phased out. There are a couple reasons
> for this.
>
> The first is security: on our larger sites we have literally
> *hundreds* of sysops with permissions to edit these messages. With
> those numbers, it's hard to assign sufficient 'trust'; even if we
> believe every one of them to be upstanding, well-meaning individuals
> the likelihood of a compromised account increases with every new
> sysop. If a broken-into (or malicious) sysop account can be used to
> add arbitrary HTML or JavaScript code, it could be used to exploit
> security vulnerabilities in web browsers or more simply attack and
> subvert the wiki accounts of other users. Such an attack might be
> found and reverted immediately, or it might attack dozens or hundreds
> -- or thousands -- of visitors before being stopped.
>
> The second is robustness: accidentally or maliciously placed invalid
> HTML could break the site. As the web moves towards more XML (which is
> very strict about proper markup syntax) it can become difficult to
> recover from such a breakage without manual intervention.
>
> There's still a lot of places with raw HTML in messages, so it's an
> ongoing process. Text fragments are being moved to either plaintext or
> wikitext, depending on their use and purpose. (Paragraph-level blocks
> such as the copyright warning are generally wikitext.)
>
> It would probably be worthwhile to write up the special character
> inserter as a MediaWiki extension -- then it could be inserted into
> the wikitext message in a safe, secure way.
>
> -- brion vibber (brion @ pobox.com)
Hi Brion,
I understand the security implications and I must admit I was already
somewhat surprised that it was possible to add javascript to these
pages. I have been creating a very comprehensive template for allowing
to insert all the accented characters I was able to cram out of my
Mandrake Linux Unicode keyboard. It wasn't totally ready yet and it was
good to be able to develop it in real time. I will forward it to you
tonight. I don't know how to create MediaWiki extensions. Is there a
place where this is described. I can program a little, so I should be
able to do it with just a few pointers.
Polyglot
More information about the Wiktionary-l
mailing list