Extension talk:Anysite
From MediaWiki.org
Contents |
[edit] For people who think that this extension is unsafe
For people who think that this extension is unsafe: This extension allows every sites to be embedded. So, technically, well, since HTML code in iFrame tag should not be rendered by Internet engine, I don't think this is the case. Especially, virtually many sites are unsafe. My purpose for creating this extension is to embed every, every sites. If you think that you can improve this extension, please make notes in discussion page. Idea: I will work on version 2.0 which will reject any bad website and any hacking program or permission changer. —The preceding unsigned comment was added by Gabeyg (talk • contribs) . Please sign your posts with ~~~~!
- This extension is not unsafe because it allows things to be shown in an iframe. It is extremely unsafe because it allows arbitrary javascript code to be injected into the page itself, thus allowing cookie theft, thus directly allowing attackers to hijack accounts. When passing things from $input to $output, the values must be strictly validated, or htmlspecialchars must be applied to them. Try something like <anyweb>"></iframe><script>alert("yum yum i eat your cookies!")</script><iframe name="anyweb" src="</anyweb>. To fix the gaping hole in this extension, use this:
-
- $output= '<iframe name="anyweb" src="'.htmlspecialchars($input)
- .'" width="'.$width.'" height="'.$height.'" frameborder="0">'.'</iframe>';
- cheers -- Duesentrieb ⇌ 01:57, 8 May 2007 (UTC)
[edit] Brilliant
works a charm - thanks soo much! i've been fluffing around with IFRAME nonscence for a whole day trying to find a workaround for it. you're a lifesaver. i can finally embed our 'easy to use' noticeboard within our intranet!
if you chuck some more search keywords (iframe wiki workaround etc.) in this page you're bound to rescue hundreds of others! =)
thnkx again - dave fear, new zealand. —The preceding unsigned comment was added by 202.49.41.201 (talk • contribs) . Please sign your posts with ~~~~!
[edit] More options
Options to specify iframe width, height, and border would be nice in order to not have to force global settings for every embed. —Eep² 11:27, 20 August 2007 (UTC)
- OK, I will make new version to be able to choose that. --Gabeyg 11:46, 24 August 2007 (UTC)
[edit] Resize option
I made a few changes to get the iframe resize itself. Setting the width to 100% takes care of the horizontal scroll bar. Anysite.php code edit:
# The callback function for converting the input text to HTML output
function renderanyweb($input) {
$output= '<iframe id="anyweb" name="anyweb" src="'.htmlspecialchars($input).'"
style="position:relative;top:0px;left:0px;width:100%;overflow:auto;border:none;border-bottom:1px black solid" allowtransparency="true">>'.'</iframe>';
return $output;
If you have content from the same domain you can access the parent document and resize the frame dynamically by adding a script to the iframe document. Iframe document code addition (see http://www.diplok.com/1ppl/html/article093.html):
<script>
i = parent.document.getElementById("anyweb");
iHeight = document.body.scrollHeight;
i.style.height = iHeight + 5 + "px";
</script>
If you don't have control over the content in the iframe you will have to add hieght:NNNpx; to the php code edit.
Cheers, Wade —The preceding unsigned comment was added by 205.230.28.193 (talk • contribs) . Please sign your posts with ~~~~!
[edit] Safe?
How is this safe? Can't javascript be inserted into the page that is shown and all kinds of nefarious things be done with it? —The preceding unsigned comment was added by 65.89.233.43 (talk • contribs) . Please sign your posts with ~~~~!
- I admit to not being a guru when it comes to security. I would applicate a bit of info on how this is "Safe" as its tag line says it is. --Vaccano 16:27, 5 November 2007 (UTC)
- Because I really wanted to use this extension I did some research and found that iFrames do not protect you from the content within them. Use this extension only if you trust everyone who can edit your wiki to know better than to include bad pages (something rarely possible). Otherwise you are opening up your Wiki (and anything your wiki users can access) to nefarious activity.
- A better option (though not fool proof) is Extension:Secure HTML or its similar editing rights based counterparts. --Vaccano 19:04, 28 January 2008 (UTC)
[edit] Would anyone work for me?
I allow anyone to change the source code of this extension. But if i find the code to make this extension instable, i will remove it. —The preceding unsigned comment was added by Gabeyg (talk • contribs) . Please sign your posts with ~~~~!
[edit] I can't use this...
It just shows <anyweb>http://www.google.com</anyweb> —The preceding unsigned comment was added by 85.228.121.73 (talk • contribs) . Please sign your posts with ~~~~!
- Same Here. It does not work.--Amglez 16:38, 28 January 2008 (UTC)
- Same with me. Odessaukrain 02:29, 30 March 2008 (UTC)
[edit] coding not complete?
Hi, This seems a very useful extension but the code-example seems not complete (anymore?) —The preceding unsigned comment was added by 171.21.80.126 (talk • contribs) . Please sign your posts with ~~~~!
[edit] Requesting that this extenstion be protected or deleted
Gabeyg removed negative warnings on this page[1]
Gabeyg deleted a serious warning template on Extension:Anysite twice.
This extension is obviously not stable. Yet the creator lists it as stable.
- I am requesting that this extension be deleted or protected.
- I restored the serious template warning.
- I changed the status from stable to experimental.
- I restored the comments Gabeyg deleted.
- I think Gabeyg should be warned.
Odessaukrain 03:01, 30 March 2008 (UTC)
[edit] Works a charm ...
Hi, I'm now using this extension since some month (at nearly every page) and until today I couldn't notice any problems. I'm not a coder/programer, so I have no clue if this extension is now safe or not (I'm unable to follow all the undated postings above). So all I can say is, that this extension "works a charm" for me - so far (I'm using MW 1.12). I hope I can see soon some new comments or maybe some improvements for this extension from its creator (Gabeyg) or any helpers or users of this extension, because this extension is definitely great and very EASY to use ... BTW - For the last posters above: I have just compared my extension code-file with the current code on the extension site. As far I can see - nothing has changed. So I wonder why you can't get the extension to work ...
--80.109.228.11 02:26, 22 April 2008 (UTC)
