Manual:Allowing HTML Uploads

From MediaWiki.org

Jump to: navigation, search
refers specifically to MediaWiki 1.5.7, but I imagine this is relevant to any 1.5.x version


The MediaWiki software takes many precautions to block uploading of html.

Caution! Caution: Allowing users to upload HTML files is a major security risk: it allows user supplied JavaScript code to be injected into your wiki site, cause it to be open to Cross-site scripting. Depending on your server configurations, the instructions below may also allow people to upload PHP and other scripts that can be executed under your name on the webserver. Do not allow this unless you know exactly what you are doing.

If you want to allow uploading of .html files:


1. obviously, ensure general file uploading is enabled

- LocalSettings.php
$wgEnableUploads = true; # Enable uploads


2. /includes/SpecialUpload.php , comment-out this check:

                #check for htmlish code and javascript
                if( $this->detectScript ( $tmpfile, $mime ) ) {
                        return new WikiErrorMsg( 'uploadscripted' );
                }
Caution! Caution: this completely disables detection of potentially harmful scripts that can be executed either on the webserver or in visitor's web browsers!


3. /includes/DefaultSettings.php , edit these lines:


                /** Files with these extensions will never be allowed as uploads. */
                $wgFileBlacklist = array(
                                # HTML may contain cookie-stealing JavaScript and web bugs
                                'html', 'htm', 'js', 'jsb',

                /** Files with these mime types will never be allowed as uploads
                * if $wgVerifyMimeType is enabled.
                 */
                                $wgMimeTypeBlacklist= array(
                                # HTML may contain cookie-stealing JavaScript and web bugs
                                'text/html', 'text/javascript', 'text/x-javascript',  'application/x-shellscript',
Caution! Caution: allowing HTML uploads implies that people can inject arbitrary JavaScript code into your wiki, opening it up to Cross-site scripting and similar attacks.

4. /includes/DefaultSettings.php , add 'html' to the list of allowed file extensions

- $wgFileExtensions = array(...


The other option is to just allow uploading of any and all file-types:

- /includes/DefaultSettings.php
$wgStrictFileExtensions = false;
Caution! Caution: this allows people to upload PHP files and other scripts that may be run on the webserver!
Retrieved from "http://www.mediawiki.org/wiki/Manual:Allowing_HTML_Uploads"
Personal tools