Extension:Secure HTML

Occasionally you need to display HTML within a wiki, but allowing it site-wide opens you up to various XSS attacks. This extension solves that problem by letting you specify arbitrary HTML, but only if the HTML includes a corresponding hash that is created by signing the HTML input with a secret that only authorized people know.

The extension uses a special page, Special:SecureHTML which helps you build a tag, &lt;shtml&gt;, which acts as a wrapper around raw HTML. An example looks like:

If the user uses a valid shared secret to build the hashed &lt;shtml&gt; snippet and includes it in a wiki page, the snippet is rendered as the raw HTML contained within the tag. If the shared secret is invalid, the snippet is rendered as an error message (but not containing the HTML, obviously).

Installation
Secure HTML is compatible with MediaWiki 1.23 and later.

Configuration
Secure HTML uses HMAC digests to sign a piece of raw HTML in a &lt;shtml&gt; tag, using a shared secret key. The $wgSecureHTMLSecrets configuration array may have multiple shared secrets, and is in the format:

The first part of each pair is the key name, and the second part is the key secret. This way, you can logically segment shared secrets among several groups. If a keyname= parameter is not given to the &lt;shtml&gt; tag, the first entry in $wgSecureHTMLSecrets is assumed. So, for example:

The default tag name is shtml, but may be changed by setting e.g.:

Special:SecureHTML
The special page Special:SecureHTML is used to build the snippet, specifying the raw HTML, the key secret, and (optionally) the key name. If a key name is not specified, the first entry in $wgSecureHTMLSecrets is assumed. When the form is submitted, the signed snipped is displayed, and an attempt to render the snippet is made. If the key secret is incorrect, this will show you the results immediately, before you try to add the snippet to a page.

Special:SecureHTML is restricted to users who have the 'edit' right; the rationale being the user needs to be able to edit pages anyway to make use of this extension. If you would like to change this right, set $wgSecureHTMLSpecialRight to another right, or set to '' to allow anyone to use the special page.

Note that this restriction does not provide much extra security. If your MediaWiki installation requires users to be logged in to edit, it does provide superficial protection against anonymous dictionary attacks (checking the preview result) against a key. However, if a user already knows a key secret, he/she can build the signed snippet manually; the special page is not strictly needed.

By default, Special:SecureHTML presents a dropdown list of configured key names to select from. If you would rather not show all key names, set the following to turn the field into a freeform text input:

Hash algorithms
Beginning with version 3.0, HMAC hash algorithms are configurable per-key. The default is HMAC SHA256 when the key value is a string (the secret), but may be extended, for example:

SHA256 should be secure for most purposes, but if you do pick a custom algorithm, be careful with which one you choose. For example, adler32 would be a very bad choice for hashing.

Version 1.0 used a simple data + secret MD5 hash which is now considered cryptographically insecure. This format was deprecated in version 2.0 in favor of HMAC SHA256 hashes, and removed in 3.0. Any existing version 1.0 hashes must be converted to new hashes.

Internationalization
Translation of the extension strings is managed by Translatewiki.net (direct extension link). Please contribute translations there.