Extension:Dhflashplayer/Dhflashplayer v0.99

From MediaWiki.org
Jump to: navigation, search
WARNING: the code or configuration described here poses a major security risk.

Problem: Vulnerable to Cross-site scripting attacks, because it passes user input directly to the browser. This may lead to user accounts being hijacked, among other things.
Solution: strictly validate user input and/or apply escaping to all characters that have a special meaning in HTML

Signed: Max Semenik 20:38, 14 January 2010 (UTC)
 
<?php
// DreamHost's free flash media player Mediawiki extension
//
// The DreamHost free flash media player wiki page : http://wiki.dreamhost.com/index.php?title=Flash_Media_Player
// 
// Base code forked from FlashOnWeb-Stream Mediawiki extension by Eric Larcher 23.09.2006
// http://www.mediawiki.org/wiki/Extension:Flashow
//
// Versions:
// * 0.01, Jan. 2007 - Original version by PatrikRoy
// * 0.99, June 2009 - Updated by Mrsdonovan to include the version 1.5v of SWFObject and added flashvars for additional parameters.  
//                     Can also be used multiple times on the same page.
// * 0.99-1 Mar 2010 - removed the blatent security issues. (There might still be more depending on what excatly the flashvars parameter actually does, and that it loads flash with the same-origin-policy removed from a random website). removed useless parameters, fixed invalid html.
// 
// Installation:
//  * save the code as dhflashplayer.php into the extension directory of your mediawiki installation 
//  * add the following to the end of LocalSettings.php: include_once("extensions/dhflashplayer.php");
//
// Usage:
//  Use one section between <dhflashplayer>-tags for each feed. The dhflashplayer section must contain parameters
//  separated by a pipe ("|"), just like links and templates. These parameters are supported:
//
//    * file                  =       file name with extension (e.g. "snake.swf")  - This is important 
//    * width                 =       width of the movie in px (e.g. "150")
//    * height                =       height of the movie in px (e.g. "80")
//    * path                  =       full path of the movie file (e.g. "http://badger.com/")
//      * flashvars             =       flashvariables to append to the file link, see example below - 
//
// Example:
//    <dhflashplayer>file=mushroom.flv|width=200|height=120|path=http://somewebsite.com/movies/|flashvars=&showdigits=true&autostart=false&image=http://somewebsite.com/images/mushroom.jpg</dhflashplayer>
//
 
//install extension hook
$wgExtensionFunctions[] = "wfDhflashplayerExtension";
$wgExtensionCredits['parserhook'][] = array(
    'name' => 'dhflashplayer',
    'author' => array('Eric Larcher','PatrikRoy', 'Mrsdonovan'),
    'url' => 'http://www.mediawiki.org/wiki/Extension:Dhflashplayer',
    'description' => 'Inserts a flash media player from Dreamhost hosting onto a Mediawiki page',
    'version' => '0.99-1',
);
 
//extension hook callback function
function wfDhflashplayerExtension() { 
        global $wgParser;
        //install parser hook for <dhflashplayer> tags
        $wgParser->setHook( "dhflashplayer", "renderDhflashplayer" );
}
 
//parser hook callback function
function renderDhflashplayer($input, $argv, $parser = null) {
        if (!$parser) $parser =& $GLOBALS['wgParser'];
 
        if (!$input) return ""; //if <dhflashplayer>-section is empty, return nothing
 
        $parser->mOutput->addHeadItem('<script type="text/javascript" src="https://media.dreamhost.com/swfobject.js"></script>', 'dhflashplayer');
        $rand = mt_rand(); //no duplicate ids, which are invalid html.
 
        //parse fields in dhflashplayer-section
        $fields= explode("|",$input);
 
        $args= array();
        for ($i=0; $i<sizeof($fields); $i++) {
                $f= $fields[$i];
                if (strpos($f,"=")===False) $args[strtolower(trim($f))]= False;
                else {
                        list($k,$v)= explode("=",$f,2);
                        if (trim($v)==False) $args[strtolower(trim($k))] = False; 
                        else $args[strtolower(trim($k))]= trim($v);
                }
        }
 
        //get parameters from argument-array
        //(if you need an extra parameter, add it here and in the Final Output code)
        $file = @htmlspecialchars(urlencode($args["file"]), ENT_QUOTES);
        $width = intval(@htmlspecialchars($args["width"], ENT_QUOTES));
        $height = intval(@htmlspecialchars($args["height"], ENT_QUOTES)) + 20; //adding player's toolbar height
        $path = @htmlspecialchars($args["path"], ENT_QUOTES);
        $flashvrbles = @htmlspecialchars($args["flashvars"], ENT_QUOTES);
        if ($flashvrbles !== '' && substr($flashvrbles, 0, 5) !== '&amp;') {
                $flashvrbles = '&amp;' . $flashvrbles;
        }
 
        $id = strtr( $file . $rand, array( '%' => '.', '+' => '_' ) );
 
 
 
        // Final Output
        $output= ' 
                        <center><div id="'.$id.'" class="dhflashplayer"><a href="http://www.macromedia.com/go/getflashplayer">Get the Flash Player</a> to see this player.</div></center>
                        <script type="text/javascript">
                                var sd = new SWFObject(\'https://media.dreamhost.com/mediaplayer.swf\',\'mpl'.$rand.'\',\''.$width.'\',\''.$height.'\',\'8\');
                                sd.addParam(\'allowscriptaccess\',\'always\');
                                sd.addParam(\'allowfullscreen\',\'true\');
                                sd.addVariable(\'height\',\''.$height.'\');
                                sd.addVariable(\'width\',\''.$width.'\');
                                sd.addVariable(\'file\',\''.$path.$file.$flashvrbles.'\');
                                sd.write(\''.$id.'\');
                        </script> 
        ';                      
 
        return $output;
}
Retrieved from "http://www.mediawiki.org/w/index.php?title=Extension:Dhflashplayer/Dhflashplayer_v0.99&oldid=398291"
Personal tools
Namespaces
Variants
Actions
Site
Support
Download
Development
Communication
Print/export
Toolbox