Extension talk:FlashMP3

That's a real cool extension alltho songs aren't protected tru this, they can still see the .mp3 file in the html source

Maybe the new last.fm version is more to your liking.

-- Matsch 19:48, 4 March 2007 (UTC)

No template expansion
I tried to use the FlashMP3 extension with templates: I put " " in the template, and used that template in an article. However,  isn't replaced.

Hi, it is my first extension for and experience with MediaWiki. How would I go about to do this? You have an example? What is the use of doing it like this? Thanks. -- Matsch 18:27, 8 March 2007 (UTC)

XSS Vulnerability
Thanks for fixing the most gaping hole :) I didn't try, but it looks like the id-argument can still be used for evil things: $id = $args['id'], $id is the used in HTML output unescaped.

Btw... generally, it's cleaner to do the escaping on output, not when receiving the input... but it'll work i guess :) -- Duesentrieb ⇌ 21:42, 2 April 2007 (UTC)


 * Ok, sorry. I just had a quick glance and didn't see the id... I thought it was the user input that must be validated (parsing the output here makes it so much more difficult..)? Anyway, hope it's "safe" now ;-) -- Matsch 21:57, 2 April 2007 (UTC)

No, what I mean is: either validate on input (i.e. parse and check), or escape on output. Escaping in the beginning, before the split, somehow feels dirty :) But it should work OK, so don't worry about it.

In the check $id, $args['id'] should be @$args['id'] or isset($args['id']) - accessing uninitialized array members triggers a warning. And the count($args)>0 bit is redundant. But the XSS problem should be gone now, thanks for the prompt response. I'll remove the alert tag. -- Duesentrieb ⇌ 00:16, 3 April 2007 (UTC)