Extension talk:MscGen

Cool - I like it! -- Mike

Examples?
I'd love to see some examples of this in action. --131.158.72.67 22:03, 15 December 2006 (UTC)
 * see here --143.50.234.158 17:48, 19 December 2006 (UTC)

Another Approach to Graph generation
There is a generic graph layouter called aiSee. I built an interface for it and called it Extension Wgraph. In case somebody is reading this I would be interested in feed-back and comparison with MscGen.
 * Algorithmix 15:30, 22 July 2007 (UTC)

One installed, the following block will render an image with msc. (MSC isn't installed here, so it doesn't actually work). Note that you need to have both the tag and the msc {} brackets.

msc { a,b,c;

a->b [label="ab"] ; b->c [label="bc(TRUE)"]; c=>c [label="process(1)"]; c=>c [label="process(2)"]; ...; c=>c  [label="process(n)"]; c=>c [label="process(END)"]; a<<=c [label="callback"]; ---  [label="If more to run", ID="*"]; a->a [label="next"]; a->c [label="ac"]; b<-c [label="cb(TRUE)"]; b->b [label="stalled(...)"]; a<-b [label="ab = FALSE"]; }

XSS vulnerability
I've marked the extension as having an XSS vulnerability.

The offending code is:

The mscgen executable receives data input directly from the user. If the input data is malformed, mscgen may complain about syntax errors (which are stored in $fname.".err") containing pieces of the data read from the input. This error output is passed directly to the output of the page.

If the user input contains some broken syntax including javascript code, that makes mscgen complain and output as a error message, this javascript is potentially included on the output, putting readers at risk.

You should properly sanitize the contents of $err before sending it as the output of the extension.

Remove the XSS-alert tag after you have fixed this issue.

By the way, avoid using id="toc", or any other id= tag for that matter. XML id's are supposed to be unique, and the "toc" ID already have a well defined use for the output generated by Mediawiki.

--Juliano 18:21, 21 April 2008 (UTC)

Patched for cross site scripting attack
I did a blind (untested) patch for the cross-site scripting attack. As I am no longer actively developing it, would someone please test it?

br, Ruud


 * Hello Ruud,
 * It seems fine now. I removed the XSS-alert tag.
 * Best regards, --Juliano 13:05, 3 May 2008 (UTC)