Extension talk:Anysite

For people who think that this extension is unsafe
For people who think that this extension is unsafe: This extension allows every sites to be embedded. So, technically, well, since HTML code in iFrame tag should not be rendered by Internet engine, I don't think this is the case. Especially, virtually many sites are unsafe. My purpose for creating this extension is to embed every, every sites. If you think that you can improve this extension, please make notes in discussion page. Idea: I will work on version 2.0 which will reject any bad website and any hacking program or permission changer.


 * This extension is not unsafe because it allows things to be shown in an iframe. It is extremely unsafe because it allows arbitrary javascript code to be injected into the page itself, thus allowing cookie theft, thus directly allowing attackers to hijack accounts. When passing things from $input to $output, the values must be strictly validated, or htmlspecialchars must be applied to them. Try something like  "> alert("yum yum i eat your cookies!") . To fix the gaping hole in this extension, use this:


 * $output= ''.' ';


 * cheers -- Duesentrieb ⇌ 01:57, 8 May 2007 (UTC)


 * Thanks to User:Duesentrieb, extension got much safer.

Brilliant
works a charm - thanks soo much! i've been fluffing around with IFRAME nonscence for a whole day trying to find a workaround for it. you're a lifesaver. i can finally embed our 'easy to use' noticeboard within our intranet!

if you chuck some more search keywords (iframe wiki workaround etc.) in this page you're bound to rescue hundreds of others! =)

thnkx again - dave fear, new zealand.

More options
Options to specify iframe width, height, and border would be nice in order to not have to force global settings for every embed. —Eep² 11:27, 20 August 2007 (UTC)
 * OK, I will make new version to be able to choose that. --Gabeyg 11:46, 24 August 2007 (UTC)

Feature suggestion
I missed some easy resize options per page, so here's a new version which lets users specify height and width : ++

~facyla~

Resize option
I made a few changes to get the iframe resize itself. Setting the width to 100% takes care of the horizontal scroll bar. Anysite.php code edit: function renderanyweb($input) { $output= '>'.' '; return $output; If you have content from the same domain you can access the parent document and resize the frame dynamically by adding a script to the iframe document. Iframe document code addition (see http://www.diplok.com/1ppl/html/article093.html): i = parent.document.getElementById("anyweb"); iHeight = document.body.scrollHeight; i.style.height = iHeight + 5 + "px"; If you don't have control over the content in the iframe you will have to add hieght:NNNpx; to the php code edit. Cheers, Wade
 * 1) The callback function for converting the input text to HTML output

Safe?
How is this safe? Can't javascript be inserted into the page that is shown and all kinds of nefarious things be done with it?


 * I admit to not being a guru when it comes to security. I would applicate a bit of info on how this is "Safe" as its tag line says it is.  --Vaccano 16:27, 5 November 2007 (UTC)


 * Because I really wanted to use this extension I did some research and found that iFrames do not protect you from the content within them. Use this extension only if you trust everyone who can edit your wiki to know better than to include bad pages (something rarely possible).  Otherwise you are opening up your Wiki (and anything your wiki users can access) to nefarious activity.


 * A better option (though not fool proof) is Extension:Secure HTML or its similar editing rights based counterparts. --Vaccano 19:04, 28 January 2008 (UTC)
 * I don't agree. Please see the main page for this extension. --Gabeyg 07:30, 28 December 2008 (UTC)

Would anyone work for me?
I allow anyone to change the source code of this extension. But if i find the code to make this extension instable, i will remove it.

I can't use this...
It just shows http://www.google.com
 * Same Here. It does not work.--Amglez 16:38, 28 January 2008 (UTC)
 * Same with me. Odessaukrain 02:29, 30 March 2008 (UTC)
 * Did you modify the LocalSettings.php file to include the script ? (see Installation instructions) ~facyla~

coding not complete?
Hi, This seems a very useful extension but the code-example seems not complete (anymore?)

Requesting that this extenstion be protected or deleted
Gabeyg removed negative warnings on this page

Gabeyg deleted a serious warning template on Extension:Anysite twice.

This extension is obviously not stable. Yet the creator lists it as stable.


 * 1) I am requesting that this extension be deleted or protected.
 * 2) I restored the serious template warning.
 * 3) I changed the status from stable to experimental.
 * 4) I restored the comments Gabeyg  deleted.
 * 5) I think Gabeyg should be warned.

Odessaukrain 03:01, 30 March 2008 (UTC)
 * For some parts, you are mistaken. For some parts, I am definitely sorry that I failed to maintain and revise this extension. --Gabeyg 07:31, 28 December 2008 (UTC)

Works a charm ...
Hi, I'm now using this extension since some month (at nearly every page) and until today I couldn't notice any problems. I'm not a coder/programer, so I have no clue if this extension is now safe or not (I'm unable to follow all the undated postings above). So all I can say is, that this extension "works a charm" for me - so far (I'm using MW 1.12). I hope I can see soon some new comments or maybe some improvements for this extension from its creator (Gabeyg) or any helpers or users of this extension, because this extension is definitely great and very EASY to use ... BTW - For the last posters above: I have just compared my extension code-file with the current code on the extension site. As far I can see - nothing has changed. So I wonder why you can't get the extension to work ...

--80.109.228.11 02:26, 22 April 2008 (UTC)


 * Hi
 * Great extension! Works with MW 1.13 and 1.15 without any changes in the code - Thanks --Teamghost 08:27, 19 June 2009 (UTC)

Clear Thing about XSS comment
For non-coders: I added htmlspecialchars to prevent XSS attacks, and I appreciate your concerns. Dear Odessaukrain, if you have a problem with this extension. PLEASE ASK. Don't be so mad like a gorilla. Please ask before you say "Oh yes. SecureHTML is superior." Yes, I know that SecureHTML is more secure than Anysite, but less versatile than Anysite. And, unfortunately, htmlspecialchars functions prevent most of XSS attacks (and that's why this function is made. See PHP manual for this.) P.S. I am currently busy doing many stuffs. After 3 months, I will return and continue to revise, I promise.

Thanks and cheers, User:Gabeyg