Extension:SecureHTML

From MediaWiki.org
Jump to: navigation, search
MediaWiki extensions manual - list
Crystal Clear action run.png
SecureHTML

Release status: beta

Implementation Tag, User rights
Description This extension securely inserts HTML section(s) or pages on a wiki page.
Author(s) Jean-Lou Dupont
Latest version 2.3.0
MediaWiki 1.10.0 - 1.15.x
License No license specified
Download

Translate the SecureHTML extension if possible

Check usage and version matrix; code metrics

This extension allows editors to add HTML section(s) or pages on a wiki page. This extension can only be used on protected pages, but allows an editor to add a protected template on an unprotected, editable page. The extension uses the '$wgRawHtml' global variable of Mediawiki.

Features[edit | edit source]

  • Cascading: if the base page is allowed to use 'html' tags, then all included pages will be processed as if they could.
  • Namespace exemption: configured namespaces are exempted from 'protection' requirement
  • Parser cache friendliness:
    • The extension must be enabled to continue the support of the inserted content
  • Support for the parser function {{#html}}
  • {{#shtml}} is very well suited for securely embedding widgets such as the ones created with SproutBuilder or GoogleGadgets.
    • The page where the shtml parser function is used does not need to be protected but the template page where the javascript/html widget code is located must though.
    • This behavior makes it easy for administrator to allow selected widgets to be included by the user population of the wiki

Usage[edit | edit source]

< html> tag[edit | edit source]

  • Use the standard <html> tags (see Manual:$wgRawHtml) within a protected page. One can either protect the page before or after the inclusion of the said tag(s).
  • Complete usage example for using iframes tag:
<html><iframe src="http://stim.com/" width=600 height=500></iframe></html>

{{ #html}} parser function[edit | edit source]

Use: {{#html:page_name [|optional parameters]}} where:

  • page_name is the page name of the article to include
  • optional parameters are of the form:
    • param_x = value_x | param_y = value_y

The page where this parser function is used must be edit protected.

{{ #shtml }} parser function[edit | edit source]

Same usage as for #html with difference that the origin page where this parser function is used does not need to be edit protected. The target page's edit protection attribute ensures security.

Example[edit | edit source]

Test Page[edit | edit source]

{{#html:Template:Page1|param1=value1}}

Template:Page1[edit | edit source]

This parameter will be replaced when called from Test:Page >> {@{param1}@}


Required extensions[edit | edit source]


Installation[edit | edit source]

See the Mediawiki Extension table entry "download" above.[1]

LocalSettings.php[edit | edit source]

Extension:ExtensionManager: See footnote[2]

require_once( "$IP/extensions/SecureHTML/SecureHTML.php" );
  • Since this Extensions is depending on StubManager, add the line after the StubManager include, or else your Wiki won't work.

PEAR[edit | edit source]

PEAR is a repository of PHP software code.

pear channel-discover mediawiki.googlecode.com/svn
  • Install extension through PEAR:
pear install mediawiki/SecureHTML
  • Add the following to LocalSettings.php[2][3]:
require 'MediaWiki/SecureHTML/SecureHTML.php';
  • Note that the required version of PEAR must be respected. Currently, the minimum version of PEAR usable with this channel is v1.6.2. Perform the following command to upgrade to the latest version of PEAR:
pear upgrade pear

Upgrades through PEAR[edit | edit source]

Sometimes, it is necessary to clear PEAR's cache in order to perform upgrades.

pear clear-cache

or use the force method:

pear upgrade --force mediawiki/SecureHTML

PEAR Web Frontend[edit | edit source]

For easier remote package management, PEAR Frontend WEB can be installed. Installation notes can be found here. An example of the WEB frontend is available here.

RSS feed[edit | edit source]

To keep up-to-date with this channel, use the following RSS feed__Rss2.jpg.

Notes[edit | edit source]

Other Extensions From the same author[edit | edit source]

Consult User Jldupont's page.


  1. The most recent release is always available through the extension's PEAR and SVN repositories. This page is not necessarily up-to-date.
  2. 2.0 2.1 2.2 Extension:ExtensionManager does not require any modification to LocalSettings.php because ExtensionManager includes the extension.
    Note that if PHP code caching is in place (e.g. APC, eAccelerator), then to successfully complete the installation a cache flush might be needed.
  3. Modifications to LocalSettings.php is only necessary if not using Extension:ExtensionManager

Reason for the {{ #html}} parser function[edit | edit source]

It is sometimes useful to include, in a secure fashion, a template containing 'raw html' in another page. This enables, for example, the construction of gadgets.

Through the added functionality of parameterization using the {@{parameter_here}@}, the said templates can be customized on a per-page basis without resorting to convoluted escape patterns (e.g. </html>{{{parameter_here}}}<html>) which renders page viewing difficult to humans.

History[edit | edit source]

  • added namespace exemption functionality i.e. namespaces where article do not need to be protected in order to use 'html' tags
    • use SecureHTMLclass::enableExemptNamespaces = false; to turn off
    • use SecureHTMLclass::exemptNamespaces[] = NS_XYZ; to add namespaces
  • enhanced with functionality to 'add' content to the document's 'head' section
  • Removed dependency on ExtensionClass
  • Enabled for 'StubManager'
  • Added 'addExemptNamespaces' function

1.1.0[edit | edit source]

  • Added, by default, NS_MEDIAWIKI namespace to the exemptNamespaces

2.0.0[edit | edit source]

  • Addition of the parser function {{ #html}}

2.1.0[edit | edit source]

Todo[edit | edit source]

  • Fix for allowing more customization of 'exempt' namespaces even when using StubManager
  • Think about renaming the extension to be more distinct from Extension:Secure HTML

See also[edit | edit source]

Language: English  • 日本語