Extension:Secure HTML

From MediaWiki.org

Jump to: navigation, search
If you need per-page or partial page access restrictions, you are advised to install an appropriate content management package. MediaWiki was not written to provide per-page access restrictions, and almost all hacks or patches promising to add them will likely have flaws somewhere, which could lead to exposure of confidential data. We are not responsible for anything being leaked, leading to loss of funds or one's job.
For further details, see Security issues with authorization extensions


Manual on MediaWiki Extensions
List of MediaWiki Extensions
Secure HTML

Release status: unknown
Implementation Tag, User rights
Description This extension allows to display aribtrary HTML on a wiki securely.
Author(s) Ryan Finnie
MediaWiki 1.5+
License No license specified
Download see below

Occasionally you need to display HTML within a wiki, but allowing it site-wide opens you up to various XSS attacks. This extension solves that problem by letting you specify arbitrary HTML, but only if the HTML includes a corresponding hash that is created by combining the HTML input, along with a secret key that only authorized people know.

Once you set up the extension, go to Special:SecureHTMLInput:

  1. input an optional key name,
  2. the key value, and
  3. the HTML you wish to display.

The page will return a snippet such as this:

<shtml keyname="mykey" hash="d5d03e7a15b6cf75b906d64d28ce8454"><b>This is some HTML</b></shtml>

Simply cut and paste the generated snippet within an article, and the HTML will be displayed. However, if somebody else tries to modify that HTML block, the hash will no longer compute correctly, and the HTML will not be displayed within the article.

Contents

[edit] Installation

  1. Copy the two codes below into two text files, save the files as SecureHTML.php and SpecialSecureHTMLInput.php
  2. Save the SecureHTML.php in the extensions folder of your MediaWiki folder.
  3. Save the SpecialSecureHTMLInput.php in the includes/specials/ folder of your MediaWiki folder.
    If there is no specials folder inside includes, put SpecialSecureHTMLInput.php in the includes folder.
  4. Add the line include("extensions/SecureHTML.php"); to the end of your LocalSettings.php file above  ?> .
  5. In LocalSettings.php also add:
$shtml_keys = array(
      'primary key' => 'Place a secret key string here',
      'another key' => 'some other secret key string'
    );
Adding your secret key string, replacing "Place a secret key string here".


Go to Special:SecureHTMLInput on your wiki to add the HTML block.

[edit] extensions/SecureHTML.php

<?php
 
/*****************************************************************************
Secure HTML Extension - by Ryan Finnie <ryan@finnie.org>
MediaWiki 1.5 and above
 
Installation:
  * Place SecureHTML.php in extensions/ under the MediaWiki tree.
  * Place SpecialSecureHTMLInput.php in includes/.
  * Add one or more keys to LocalSettings.php:
    $shtml_keys = array(
      'primary key' => 'Place a secret key string here',
      'another key' => 'some other secret key string'
    );
  * Add this to LocalSettings.php: include("extensions/SecureHTML.php");
  * Go to Special:SecureHTMLInput on the wiki to sign an HTML block.
 
Usage: <shtml hash="0123456789abcdef0123456789abcdef"
            [ keyname="key name" ] >HTML</shtml>
 
Options:
  hash - The hash generated by SecureHTMLInput.
  keyname - One of the keys specified in the $shtml_keys array.  If no
    keyname is specified, the first key in the array is used.
  HTML - The HTML you wish to display.
 
*****************************************************************************/
 
$wgExtensionFunctions[] = "wfSecureHTMLExtension";
 
$wgExtensionCredits['parserhook'][] = array(
  'name' => 'Secure HTML',
  'author' => 'Ryan Finnie',
  'url' => 'http://www.mediawiki.org/wiki/Extension:Secure_HTML',
  'description' => 'Lets you include arbitrary HTML in an authorized and secure way',
);
 
$wgExtensionCredits['specialpage'][] = array(
  'name' => 'Secure HTML',
  'author' => 'Ryan Finnie',
  'url' => 'http://www.mediawiki.org/wiki/Extension:Secure_HTML',
  'description' => 'Lets you include arbitrary HTML in an authorized and secure way',
);
 
function wfSecureHTMLExtension() {
    global $wgParser;
    global $wgMessageCache;
 
    $wgParser->setHook( "shtml", "renderSecureHTML" );
 
    require_once('includes/SpecialPage.php');
    $wgMessageCache->addMessages(array('securehtmlinput' => 'Secure HTML Input'));
    SpecialPage::addPage( new SpecialPage( 'SecureHTMLInput' ) );
}
 
function renderSecureHTML( $input, $argv ) {
  global $shtml_keys;
  $keykeys = array_keys($shtml_keys);
  $keyname = ($argv['keyname'] ? $argv['keyname'] : $keykeys[0]);
  $key = $shtml_keys[$keyname];
  $testhash = $argv['hash'];
  $hash = md5($key . $input);
  if($hash == $testhash) {
    $output = $input;
  } else {
    $output = '<b><i>Error: invalid hash</i></b>' . "\n";
  }
 
  return $output;
}
?>

[edit] includes/SpecialSecureHTMLInput.php OR includes/specials/SpecialSecureHTMLInput.php on newer versions

<?php
function wfSpecialSecureHTMLInput() {
  global $wgOut;
  global $wgRequest;
 
  if($wgRequest->GetVal('key') && $wgRequest->GetVal('html')) {
    $html = str_replace("\r\n", "\n", $wgRequest->GetVal('html'));
    $wgOut->addHTML('<form><textarea cols="40" rows="15" readonly>');
    $wgOut->addHTML('&lt;shtml ');
    $wgOut->addHTML(($wgRequest->GetVal('keyname') ? 'keyname="' . $wgRequest->GetVal('keyname') . '" ' : ''));
    $wgOut->addHTML('hash="' . md5($wgRequest->GetVal('key') . $html) . '"&gt;');
    $wgOut->addHTML(htmlspecialchars($html));
    $wgOut->addHTML('&lt;/shtml&gt;');
    $wgOut->addHTML('</textarea></form>' . "\n");
    $wgOut->addHTML('Copy the code above EXACTLY and paste it into the wiki editor.<br>' . "\n");
    $wgOut->addHTML('If the generated code does not work, try removing all linefeeds from the input HTML and re-generate.<br>' . "\n");
    $wgOut->addHTML('<hr>' . "\n");
    $wgOut->addHTML($html);
  } else {
    $wgOut->addHTML('<form method="post">' . "\n");
    $wgOut->addHTML('<b>Key Name</b> (optional): <input name="keyname" size="20"><br>' . "\n");
    $wgOut->addHTML('<b>Key</b>: <input name="key" size="20"><br>' . "\n");
    $wgOut->addHTML('<b>HTML</b>: <textarea name="html" cols="40" rows="15"></textarea><br>' . "\n");
    $wgOut->addHTML('<input type="submit">' . "\n");
    $wgOut->addHTML('</form>' . "\n");
  }
}
?>

[edit] See also

  • Extension:SecureHTML - Different extension which restricts <html> sections to protected pages/namespaces. Unfortunately with a very similar name!
  • Extension:Anysite Embeds a website in a wiki page without touching HTML settings.
Retrieved from "http://www.mediawiki.org/wiki/Extension:Secure_HTML"
Personal tools