Extension talk:AdSense

[edit] Hi there

I was just wondering what os there to stop someone clicking the edit button on your page and putting their adsense account number into your adsense code?

[edit] 404

There is nothing stopping them doing that I suppose - I would though create a template and lock it for sysadmins only to edit. I cant download this extension anyway as the file seems to be returning a 404!

[edit] Code updated

The code has been updated and there is no more 404 error. The best way to prevent from someone changing your code is as mentioned, using protected templates only. Anyway, this would not prevent from people putting their own ads elsewhere.

[edit] Nice

Thanks glad you liked my additions.

Very pleased with this extension so far - looking at more for my wiki now :)

Cheers Ian

[edit]

• An Adsense extension? Brilliant! http://lukej.net/mediawiki/index.php/AdSense  :) While Golden Santos is pretty close to my source, the concept is simple, so I have to presume GS came up with this on their own, 5 months after I did. However, this guy http://wiki.triangle-solutions.com/index.php/Extensions_Google_Adsense and GS had probably ought to discuss who copied who; as far as I can tell with out a 'diff' is the author/copyright are the only changed lines, the example even has the same google id!

• You can check the history to clarify those *important* issues.
  • Nothing better to do, so I did check... Looks like Golden Santos beat out Triangle guy by a few weeks, so we're left to presumes Golden Santos was the 'original'. However, you have to understand the original poster's 'feelings' since this page is listed as the Official Media Wiki Extension, and this code is similar to their prior creation (perhaps coincidentally). In the end, I guess credit for a GPL or PHP license script probably isn't as much of an " *important* issues " as the $$$ from AdSense... :)
    • I wanted to clarify this hype going on... When I implemented the AdSense extension I did some research and only found how to write code into the template, but no extensions. Since it is a simple extension I wrote it myself and published in the oficial site so everybody would have access. As you mention is a simple code and no wonder we approached it the same way, but no copy whatsoever. --Naoise 09:09, 23 July 2007 (UTC)

[edit] Raw JavaScript code

• This tag allows the injection of raw JavaScript code with full browser privileges on any page. This seems really dangerous. Mike Dillon 20:38, 30 January 2007 (UTC)
  • Took me a second to think this through, then I got it. For slow folks like me: While the extension is at the site admin level (e.g. only root can install it) it takes whatever is in the wiki tag ($input), and dumps that right into the page output! Now if you have a public wiki, somebody could edit your wiki, and put anything between this tag. E.g. a JS to redirect them to another site, or perhaps the latest buffer overflow for any given browser (allowing installation of malware)! (If all your pages are locked, well, then you are relatively safe...)
    • This might be easily avoided by using a couple of PHP tags to strip stuff out of the $input variable. The example mentioned above ( http://lukej.net/mediawiki/index.php/AdSense ), uses $clean = str_replace("\n"," ",strip_tags($input)); and tries o clean up wikiuser input. Not sure if this is sufficient to stop JS injection attacks? But dumping raw tag input back out on a page does seem dangerous!

The strip_tags function in PHP deals with HTML tags, not JavaScript code. The only really safe way to do this extension is to only support known AdSense variables and to ensure within the PHP code that the values of those variables generate valid JavaScript. The easiest way to do this is probably to use the attribute=value capability of MediaWiki extensions for passing in the AdSense config instead of using the tag body. You would end up with something like this for the extension call:

<adsense
    ad_client    = "pub-XXXXXXXXXXXXXXXX"
    ad_width     = "728"
    ad_height    = "90"
    ad_format    = "728x90_as"
    ad_type      = "text_image"
    ad_channel   = "3267063621"
    color_border = "FFFFFF"
    color_bg     = "FFFFFF"
    color_link   = "3D81EE"
    color_text   = "000000"
    color_url    = "3D81EE"
/>

You would then have the PHP code explicitly look for each of the parameters and render escaped JavaScipt code from them. The PHP code would be pretty simple because all it would really need to do is quote the passed-in values and escape any quotation marks they contain. Mike Dillon 03:52, 22 February 2007 (UTC)

Here's a safer version of this extension: meta:User:Mike Dillon/AdSense. Mike Dillon 04:34, 22 February 2007 (UTC)

I was going to propose change the code to this safer version. Many pointed the Raw Javascript flaw. At first I thought that that flaw was outweighted by the simplicity to use, just copy&paste your code, but now I would like to put it in a stable status. The "bad" thing is then that everytime there's a new google tag the code must be changed and thus the extension updated. Could you give me your thought on that? --Naoise 09:16, 23 July 2007 (UTC)

Considering the fact that this is a lot safer and just as flexible as the other one, i would go for this version and replace the one on the extension page currently listed with this. In all the time i have used the google adsense (since its start) the code has not changed in any significant way that would make this extension useless. As a side note, a variable could be added, to set the ad client in the local settings, so it is "hardcoded" and cant be changed by anyone. This would prevent the hijacking of ads. Or you can simply hardcode it into the extension.

We've been talking about it. Maybe we could comment some things to finally improve it, who makes a clever title for it? Anybody knows if there are plans to create less hardcore-coding extensions? Like WordPress'. Another thing: multiple adsense codes? --Naoise 18:24, 29 July 2007 (UTC)

I think the version I currently have is the most advanced one. Just added another missing parameter for the "rounded corners" feature they introduced for ads. The extension is basically what you did, then more secured by Mike, but it lost some flexibility and functions in that process. So i added them back in (so you can use it for multiple things, like referrers and all features of the units) and the optional locking of the client id. I mean if you want multiple different ad client ids, then simply don't lock it, as that is the default behavior. But i think most people will want to put the lock on it. Either way that only locks the id. You can still define multiple different ad units and colors. It has all the flexibility back you gave it in the first place but with the extra security from Mike and me added in. I think this simply should be the "official" version. I wouldn't mind putting my link into the source, other than that a mention is enough for me. If you want to i can update the page, or you can do it yourself, whatever you prefer. Simon Moon 03:10, 1 August 2007 (UTC)

[edit] Safe Version

This version leaves pretty large security holes. After working more intently on an alternative I have a secure and tested version. It works flawlessly on a clean MW 1.10.1 install. I suggest using that one, and i also would suggest changing this page over to my version, for the sake of security. --Simon Moon 03:50, 29 August 2007 (UTC)