Extension:Monstranto

The Monstranto extension allows you to use Scribunto to create illustrations. Please note, this is still in the proof of concept stage, and not everything is implemented yet. However, enough is that you can install it, play with it, and perhaps develop an opinion on whether this is a good idea, or a terrible idea.

This extension is inspired by meta:User:Yurik/I_Dream_of_Content. MediaWiki does not have a good story around using interactive multimedia. The main previous attempt to rectify this was Extension:Graph. However, in practice it seems like this has only seen limited use so far. As of today, its used on a mere 15,000 main-space pages of english Wikipedia. More to the point, the vast majority of those uses are either simple line/bar graphs or simple map overlays. If you exclude,  ,  ,  ,  ,  , there are only 477 usages. Standard bar graphs of course fill an important need, but they are also far from being active learning experiences. The dream is not just to have some graphs to complement the text, but to allow readers to really understand the information in a different way - i.e. the difference between reading a book and going to a museum. For example, imagine something like https://observablehq.com/@tmcw/enigma-machine being on the Enigma machine article.

My belief is the reason that Extension:Graph did not catch on, is essentially it is both too low level and too high level at the same time:
 * The vega syntax is hard to understand for normal people. It is too low level for the average Wikipedia editor.
 * The vega syntax can be difficult to work with if you are trying to do something outside of its intended user case, thus being too high level
 * It is difficult to make abstractions over graph (too high level)

In Wikipedia, Scribunto has seen great success, as it gave some simple tools to editors, which allowed template maintainers to combine them in complex ways to make complicated abstractions. I think we should follow that approach with interactive content. This extension essentially hooks lua up to SVG, allowing template editors to go wild. The theory is, that they can make abstractions that make sense resulting in easy to understand interfaces for less technical users, and the full freedom to do anything you can imagine for the technical users.

Hello world example
A simple example for this extension. This makes a circle which changes colour when you click on it.

Create the following Lua module, named Module:Demo:

Then put  on a page somewhere.

Security
This extension is designed to use multiple levels of security:
 * Brower Iframe sandbox feature to render the svg in a null origin that has no access to site data
 * CSP policy to prevent scripts other than those expected.
 * Verify initial svg is not scripted (And thus not interactive until user touches it) using both MW svg validation, and DomPurify
 * Use MediaWiki's restrictions on attributes starting with data-mw to prevent user bypassing things.
 * [not yet implemented] Use lua sandboxing so that dangerous apis are not exposed at all

Anyways, sufficed to say, this has been designed with security in mind, and should not be a security risk in terms of XSS.

There is a potential for client side DoS. This should be partially mitigated by the fact the user needs to click before any scripts are being run and CSP prevents exfiltration making it pointless to run a cryptominer. Browsers also contain some support for terminating non-responsive scripts. It may be possible to look into adding some resource limits on the lua side.