[Wiktionary-l] Doing things we used to be able to do, in the new upgrade

Jo cookfire at softhome.net
Thu Dec 23 01:10:47 UTC 2004 

Brion Vibber wrote:

> On Dec 21, 2004, at 6:20 AM, Muke Tever wrote:
>
>> Now, you help me. :p  It used to be that a few wiktionaries edited
>> [[MediaWiki:Copyrightwarning]] to allow users to click and insert 
>> necessary special characters... but it seems it is no longer possible 
>> to insert the script (/style/wikibits.js) to allow this. Is there a 
>> workaround, or a better way to do it now, or will it just have to 
>> revert to a copy-and-paste plain-text list?
>
>
> Arbitrary HTML and JavaScript in the MediaWiki: messages is dangerous, 
> and is something that's being phased out. There are a couple reasons 
> for this.
>
> The first is security: on our larger sites we have literally 
> *hundreds* of sysops with permissions to edit these messages. With 
> those numbers, it's hard to assign sufficient 'trust'; even if we 
> believe every one of them to be upstanding, well-meaning individuals 
> the likelihood of a compromised account increases with every new 
> sysop. If a broken-into (or malicious) sysop account can be used to 
> add arbitrary HTML or JavaScript code, it could be used to exploit 
> security vulnerabilities in web browsers or more simply attack and 
> subvert the wiki accounts of other users. Such an attack might be 
> found and reverted immediately, or it might attack dozens or hundreds 
> -- or thousands -- of visitors before being stopped.
>
> The second is robustness: accidentally or maliciously placed invalid 
> HTML could break the site. As the web moves towards more XML (which is 
> very strict about proper markup syntax) it can become difficult to 
> recover from such a breakage without manual intervention.
>
> There's still a lot of places with raw HTML in messages, so it's an 
> ongoing process. Text fragments are being moved to either plaintext or 
> wikitext, depending on their use and purpose. (Paragraph-level blocks 
> such as the copyright warning are generally wikitext.)
>
> It would probably be worthwhile to write up the special character 
> inserter as a MediaWiki extension -- then it could be inserted into 
> the wikitext message in a safe, secure way.
>
> -- brion vibber (brion @ pobox.com)

Hi Brion,

I have spent more than 5 hours on creating the following, so I hope it 
is useful. (See attachment)

Jo

More information about the Wiktionary-l mailing list