Extension talk:FlashMP3

That's a real cool extension alltho songs aren't protected tru this, they can still see the .mp3 file in the html source

Maybe the new last.fm version is more to your liking.

-- Matsch 19:48, 4 March 2007 (UTC)

No template expansion
I tried to use the FlashMP3 extension with templates: I put " " in the template, and used that template in an article. However,  isn't replaced.

Hi, it is my first extension for and experience with MediaWiki. How would I go about to do this? You have an example? What is the use of doing it like this? Thanks. -- Matsch 18:27, 8 March 2007 (UTC)

XSS Vulnerability
Thanks for fixing the most gaping hole :) I didn't try, but it looks like the id-argument can still be used for evil things: $id = $args['id'], $id is the used in HTML output unescaped.

Btw... generally, it's cleaner to do the escaping on output, not when receiving the input... but it'll work i guess :) -- Duesentrieb ⇌ 21:42, 2 April 2007 (UTC)


 * Ok, sorry. I just had a quick glance and didn't see the id... I thought it was the user input that must be validated (parsing the output here makes it so much more difficult..)? Anyway, hope it's "safe" now ;-) -- Matsch 21:57, 2 April 2007 (UTC)

No, what I mean is: either validate on input (i.e. parse and check), or escape on output. Escaping in the beginning, before the split, somehow feels dirty :) But it should work OK, so don't worry about it.

In the check $id, $args['id'] should be @$args['id'] or isset($args['id']) - accessing uninitialized array members triggers a warning. And the count($args)>0 bit is redundant. But the XSS problem should be gone now, thanks for the prompt response. I'll remove the alert tag. -- Duesentrieb ⇌ 00:16, 3 April 2007 (UTC)

Open in New Window?
Does anyone know if there is an easy way to get this player to open in it's own window, so the track will continue to play while a user surfs through the wiki pages? Thanks