Extension:Secure HTML

The problem is you occasionally need to display aribtrary HTML within a wiki, but allowing it site-wide opens you up to various XSS attacks. This extension solves that problem by letting you specify arbitrary HTML, but only if the HTML includes a correspoding hash that is created by combining the HTML input, along with a secret key that only authorized people know.

Once you set up the extension, go to Special:SecureHTMLInput, input an optional key name, the key value, and the HTML you wish to display. The page will return a snippet such as this:

This is some HTML

Simply place the generated snippet within an article, and the HTML will be displayed. However, if somebody else tries to modify that HTML block, the hash will no longer compute correctly, and the HTML will not be displayed within the article.

extensions/SecureHTML.php
 MediaWiki 1.5 and above

Installation: * Place SecureHTML.php in extensions/ under the MediaWiki tree. * Place SpecialSecureHTMLInput.php in includes/. * Add one or more keys to LocalSettings.php: $shtml_keys = array(     'primary key' => 'Place a secret key string here',      'another key' => 'some other secret key string'    ); * Add this to LocalSettings.php: include("extensions/SecureHTML.php"); * Go to Special:SecureHTMLInput on the wiki to sign an HTML block.

Usage: HTML

Options: hash - The hash generated by SecureHTMLInput. keyname - One of the keys specified in the $shtml_keys array. If no   keyname is specified, the first key in the array is used. HTML - The HTML you wish to display.



$wgExtensionFunctions[] = "wfSecureHTMLExtension"; $wgExtensionCredits['other'][] = array( 'name' => 'Secure HTML',  'author' => 'Ryan Finnie',  'url' => 'http://meta.wikimedia.org/wiki/Secure_HTML',  'description' => 'Lets you include arbitrary HTML in an authorized and secure way', );

function wfSecureHTMLExtension { global $wgParser; global $wgMessageCache;

$wgParser->setHook( "shtml", "renderSecureHTML" );

require_once('includes/SpecialPage.php'); $wgMessageCache->addMessages(array('securehtmlinput' => 'Secure HTML Input')); SpecialPage::addPage( new SpecialPage( 'SecureHTMLInput' ) ); }

function renderSecureHTML( $input, $argv ) { global $shtml_keys; $keykeys = array_keys($shtml_keys); $keyname = ($argv['keyname'] ? $argv['keyname'] : $keykeys[0]); $key = $shtml_keys[$keyname]; $testhash = $argv['hash']; $hash = md5($key . $input); if($hash == $testhash) { $output = $input; } else { $output = 'Error: invalid hash'. "\n"; }

return $output; } ?>

includes/SpecialSecureHTMLInput.php
GetVal('key') && $wgRequest->GetVal('html')) { $html = str_replace("\r\n", "\n", $wgRequest->GetVal('html')); $wgOut->addHTML(' '); $wgOut->addHTML('&lt;shtml '); $wgOut->addHTML(($wgRequest->GetVal('keyname') ? 'keyname="' . $wgRequest->GetVal('keyname') . '" ' : '')); $wgOut->addHTML('hash="' . md5($wgRequest->GetVal('key') . $html) . '"&gt;'); $wgOut->addHTML(htmlspecialchars($html)); $wgOut->addHTML('&lt;/shtml&gt;'); $wgOut->addHTML(' ' . "\n"); $wgOut->addHTML('Copy the code above EXACTLY and paste it into the wiki editor. ' . "\n"); $wgOut->addHTML('If the generated code does not work, try removing all linefeeds from the input HTML and re-generate. ' . "\n"); $wgOut->addHTML(' ' . "\n"); $wgOut->addHTML($html); } else { $wgOut->addHTML(' ' . "\n"); $wgOut->addHTML('Key Name (optional):  ' . "\n"); $wgOut->addHTML('Key:  ' . "\n"); $wgOut->addHTML('HTML:  ' . "\n"); $wgOut->addHTML(' ' . "\n"); $wgOut->addHTML(' ' . "\n"); } } ?>