Extension talk:VideoFlash

What about adding support for Revver? I tried to tweak it on my own but I was having some difficulty. Any suggestions?
 * I have Added Revver support to VideoFlash extension --Args 11:36, 24 March 2007 (UTC)

A quick and dirty solution to display videos from Revver (Example):

Copy the following code into extensions/revverflash.php : <?php

/*******************************************************************************
 * RevverFlash Extension by Daniel Hüttenmeister, based on VideoFlash extension *
 * http://www.mediawiki.org/wiki/Extension:VideoFlash                          *
 * Tag :                                                                       *
 * v                                              *
 * Ex :                                                                        *
 * http://one.revver.com/watch/89072               			       *
 * 89072                                            *
 * Ex :                                                                        *
 * http://one.revver.com/watch/89072               			       *
 * 89072                                            *
 * 89072                                            *

$wgExtensionFunctions[] = 'wfRevverFlash'; $wgExtensionCredits['parserhook'][] = array(       'name' => 'RevverFlash',        'description' => 'RevverFlash (based on VideoFlash from Alberto Sarullo)',        'author' => 'Daniel Hüttenmeister',        'url' => 'http://www.mediawiki.org/wiki/Extension:VideoFlash' );

function wfRevverFlash { global $wgParser; $wgParser->setHook('revverflash', 'renderRevverFlash'); }

function renderRevverFlash($input, $args) { $type = "revver"; $params = explode ("|", $input); $id = $params[0]; $width = 480; $height = 392; $style = ''; $url['revver']		 = 'http://flash.revver.com/player/1.0/player.swf'; if(count($args)>0 && $args['type'] && $url[$args['type']]){ $type = $args['type']; }
 * 1) The callback function for converting the input text to HTML output

if (count($params) > 1) { $width = $params[1]; if (count($params) > 2) { $height = $params[2]; if (count($params) > 3) { $style = $params[3]; }          }        }        $output=' ';

return $output; }

?>

Add the following lines at the end of LocalSettings.php: require_once("extensions/revverflash.php");

Standalone .flv files
There are many free .swf players for .flv files.

I find the lack of

somefileuploadedtomediawiki.flv

and

http://whatever.com/foo.flv

annoying to the point where I may much likely add something which does that. --Xiando 19:52, 13 March 2007 (UTC)


 * hold tight, I'll commit Extension:Player in a few hours. -- Duesentrieb ⇌ 20:23, 13 March 2007 (UTC)


 * Sweet. Perhaps you should take a look and see if there's any interesting code in anarchy media player, then. It works great for wordpress sites. Perhaps there's something you can borrow from there. --Xiando 20:47, 13 March 2007 (UTC)

Love the extension! --Lolade 20:42, 2 April 2007 (UTC)

XSS Vulnerability Explained
Consider this snippet of code (unrelated lines have been removed):

$params = explode ("|", $input); $id = $params[0]; // ... $url['youtube']     = ' http://www.youtube.com/v/ '. $id ; // ... $output= '&lt;object width="'.$width.'" height="'.$height.'" style="' . $style . '"&gt;' .'&lt;param name="movie" value="'. $url[$type] .'"&gt; &t;param name="allowfullscreen" value="true" /&gt;'

If the $id contains a doublequote followed by a close tag, the editor can effectively break out of the &lt;param&gt; tag and insert a &lt;script&gt; tag like so: 4lhyH5TsuPg" />  alert('evil code here'); $id field is never urlencoded on the way to becoming part of the &lt;param&gt; tag's value attribute.

Hope this makes sense. --Jimbojw 21:00, 6 April 2007 (UTC)


 * Since version 1.1 (2007-03-24), the entire $input is parsed (inluding any '<' or '>' tags). --Args 17:28, 10 April 2007 (UTC)


 * You're right - sorry for the confusion. The call to htmlspecialchars takes care of the quotes.  The only other thing I can find that's abusable is that it's possible to hijack the url to a degree by inserting a leading '../' vis a vis: ../img/pic_youtubelogo_123x63.gif More of annoyance vector rather than an actual attack vector though. --Jimbojw 18:52, 10 April 2007 (UTC)