Extension:Secure HTML

The problem is you occasionally need to display aribtrary HTML within a wiki, but allowing it site-wide opens you up to various XSS attacks. This extension solves that problem by letting you specify arbitrary HTML, but only if the HTML includes a correspoding hash that is created by combining the HTML input, along with a secret key that only authorized people know.

Once you set up the extension, go to Special:SecureHTMLInput, input an optional key name, the key value, and the HTML you wish to display. The page will return a snippet such as this:

This is some HTML

Simply place the generated snippet within an article, and the HTML will be displayed. However, if somebody else tries to modify that HTML block, the hash will no longer compute correctly, and the HTML will not be displayed within the article.

includes/SpecialSecureHTMLInput.php
GetVal('key') && $wgRequest->GetVal('html')) { $html = str_replace("\r\n", "\n", $wgRequest->GetVal('html')); $wgOut->addHTML(' '); $wgOut->addHTML('&lt;shtml '); $wgOut->addHTML(($wgRequest->GetVal('keyname') ? 'keyname="' . $wgRequest->GetVal('keyname') . '" ' : '')); $wgOut->addHTML('hash="' . md5($wgRequest->GetVal('key') . $html) . '"&gt;'); $wgOut->addHTML(htmlspecialchars($html)); $wgOut->addHTML('&lt;/shtml&gt;'); $wgOut->addHTML(' ' . "\n"); $wgOut->addHTML('Copy the code above EXACTLY and paste it into the wiki editor. ' . "\n"); $wgOut->addHTML('If the generated code does not work, try removing all linefeeds from the input HTML and re-generate. ' . "\n"); $wgOut->addHTML(' ' . "\n"); $wgOut->addHTML($html); } else { $wgOut->addHTML(' ' . "\n"); $wgOut->addHTML('Key Name (optional):  ' . "\n"); $wgOut->addHTML('Key:  ' . "\n"); $wgOut->addHTML('HTML:  ' . "\n"); $wgOut->addHTML(' ' . "\n"); $wgOut->addHTML(' ' . "\n"); } } ?>