Extension talk:SecureHTML

Shouldn't this be written a different way
Shouldn't the localsettings.php lines be written like this:


 * require_once( "includes/DefaultSettings.php" );

In addition, I have wikipedia 1.7, can I use this program?
 * I do not know

Also, have you considered combining this program with the other stubs program? It would be easier to install. Odessaukrain 03:47, 30 March 2008 (UTC)
 * In terms of ease of installation, I would suggest using PEAR. Jean-Lou Dupont 11:39, 30 March 2008 (UTC)
 * Jean-Lou Dupont, thank you for your prompt response, what a wonderful s urprise.
 * Sorry to be so dense, especially when the page clearly says 1.10, does this extension work for wikipedia 1.7?
 * Extension:SecureHTML and Extension:Anysite doesn't work, and Extension:Anysite has major security flaws, so I only have your extension to use.
 * I disagree with you. Check again my extension site Extension:Anysite. --Gabeyg 07:42, 28 December 2008 (UTC)
 * I am trying to embed a blog into my webpage. Odessaukrain 18:42, 30 March 2008 (UTC)
 * I do not know if this works under 1.7 nor will I test this. Sorry. Jean-Lou Dupont 19:19, 30 March 2008 (UTC)
 * Why don't you test it? Nothing will explode I am sure ;-) Jean-Lou Dupont 19:32, 30 March 2008 (UTC)
 * Sure, I will let you know asap. I just didn't want to go through the hassle if other people have already tested it. Odessaukrain 09:31, 31 March 2008 (UTC)

Hi, Is there a way to set the width and height of the included html page on a case by case basis? How is that handled in this extension? e.g. to order to avoid scroll bars 118.92.110.162 07:45, 15 May 2008 (UTC)
 * Hi - the extension has nothing to do with scrollbars - you must control this behavior. Are you by any chance including an iframe?

Jean-Lou Dupont 10:12, 15 May 2008 (UTC)
 * Thanks for the quick response. I was just trying to compare it with the anysite extension.  With anysite the height and width of the HTML you embed is controlled globally in the extension file.  If you embed a page larger than the allowed area, then it puts scroll bars on it, so yes, I guess the anysite extension does put it into an iframe.


 * If I use securehtml, does it allow me to embed another URL into the page? If so, how is the height and width controlled for how that page appears - just by the surrounding mediawiki code?
 * 130.195.86.36 22:42, 15 May 2008 (UTC)
 * It allows unrestricted HTML using tag section on edit protected pages (see the protect tab on each page). If you require more information on HTML in general, I would suggest googling. Jean-Lou Dupont 23:48, 15 May 2008 (UTC)


 * Same for me as described above. onyl if ($wgRawHtml = false;) + protected template reading ... + Extension:ParserFunctionsHelper + --Subfader 19:09, 9 July 2008 (UTC)

Functionality explained?
I am not a programmer and at the edge of my understanding when I read the description of this extension. Looking for a simple solution to include javascript and php code in pages without compromising security. When comparing this extension with Extension:HTMLets the latter seems less complicated. I don't need the functionality of SecureHTML that allows users to include widgets, at least not for now. Are there other options/functions I possibly might miss if I go for the simpler solution using HTMLets? --Kassoe 20:54, 15 May 2008 (UTC)
 * I am putting the finishing touches to Extension:SecureWidgets which should be helpful. I also commit to adding more details on Extension:SecureHTML shortly.
 * I do not have a side-by-side comparison with other extensions, sorry. Jean-Lou Dupont 23:49, 15 May 2008 (UTC)

MW 1.12.0 plus current secureHTML (SVN) - June 25, 2008 [SOLVED]
Jean-Lou:

Thanks for this extension! I'm trying to get it to work without full success.

I've created a protected template which includes the html code to display content from another server. After saving the template, the content displays nicely within the template (just the way I want it to display in an article). However, when I embed the template within the article, all one sees is the html code as it was written in the template and not the display of the 's content.

Any ideas what to look at? Thanks. -- Rik

ps: I do have the stubmanager extension installed as well and listed above the "require_once" statement for secureHTML.
 * That's probably because the target page isn't edit protected. In this case, use the #shtml parser function. Jean-Lou Dupont 10:22, 25 June 2008 (UTC)

Jean-Lou:

I installed ParserFunctionsHelper and that solved the problem for both protected and unprotected edits. Without ParserFunctionsHelper, I still can't get the protected edits to work. But since it works both ways with ParserFunctionsHelper installed, that solves the problem for me.

Thank you very much both for the great extensions and your help. -- Rik
 * My pleasure. Jean-Lou Dupont 00:52, 26 June 2008 (UTC)

php include?
Is there a way to include php files in teh protected templates without using iframes? I mean real includes  --Subfader 19:16, 9 July 2008 (UTC)
 * Use Extension:SecurePHP. Jean-Lou Dupont 02:21, 13 July 2008 (UTC)

Installation Problem
I have installed both stubmanager and securehtml... i think

Specail:version shows it as having been installed. But its not working right. I am trying to embed a Picasa slide show. In the wiki I put



When I hit "preview" it appears fine but when I save the page I just see the source, not the flash slideshow. I locked down the page so only my registered and trusted users can edit it, but no luck

Suggestions?
 * your leading html tag has a / in it... should be, not . Rururudy 05:27, 11 January 2010 (UTC)

Does it work on 1.13?
Hello, I use MediaWiki 1.13 and it seems that SecureHTML doesn't work properly with this version. Is there something I can do to use this extension with 1.13 ? -- Marineam 12:07, 01 October 2008 (UTC)


 * Have you seen that you need the StubManager and the ParserFunctionsHelper extensions to get it working? --Subfader 14:35, 1 October 2008 (UTC)
 * I haven't tried 1.13 yet... I'll get around to it at some point though. Jean-Lou Dupont 01:48, 2 October 2008 (UTC)
 * I had no probs moving from 1.12 to 1.13 --Subfader 05:46, 2 October 2008 (UTC)

Linking
I think it would be usefull to create a link when using a template with the #html or #sthml tag. By now the used templates are displayed as unused and you can not see where they are used. --77.182.140.72 11:18, 14 December 2008 (UTC)


 * Ditto. --Subfader 17:21, 14 December 2008 (UTC)


 * And this is a third vote for this feature. —Twisted86 21:46, 20 February 2009 (UTC)


 * Somebody there who will make further development. I could even put it into a SVN repo if someone would insert this feature. --DaSch 00:26, 2 April 2009 (UTC)


 * If somebody would care to explain to me what the feature is about, I'll consider adding it. Jean-Lou Dupont 12:39, 3 April 2009 (UTC)


 * The inculded page or template should be linked like a template so that it appears in the list of used templated at the bottom of the page and when going to the template that is included with #html ot #shtml and looking there under "Links to this page" the pages the template is included in are listed. I don't know if this is understandable. Short: The inculded pages should be treated like templates and appear as linked to the pages they are included in. --DaSch 12:50, 3 April 2009 (UTC)
 * This sounds only applicable to #shtml: in this case, supporting this requirement appears to need some fiddling around with database tables ( probably also need a new background job to update these ). In which case, I am not ready to take on this ( I am not involved in Mediawiki nowadays ). Isn't there a trick with the template engine that can be done? e.g. all the page referenced by #shtml would be tagged with some category? Jean-Lou Dupont 14:42, 3 April 2009 (UTC)
 * I'm not a developer, I have no idea. The category solution would only be a workaround, but no real solution. When having template Linking also the problem, that HTML templeates apear in Special:Unused Templates. Maybe you know somebody else who could apply this changes? --DaSch 14:46, 3 April 2009 (UTC)

#shtml in condition code
Hi. I'm trying to include a html template when it's only me. Like this: (CURRENTUSER is called by another extension) but then it displays the template but  below in plain text. Any idea how to get around it? Thanks! --Subfader 13:58, 18 January 2009 (UTC)
 * Ok me dumb. I fixed by adding the condition in the template page {{#ifeq:UserX|{{CURRENTUSER}}| .... --Subfader 14:02, 18 January 2009 (UTC)

Wiki Links
Hi, I'm trying to get [[media:foo]] links working within SecureHTML (Passing them as arg. by the #shtml tag, so that they get resolved to http://... links. Any ideas?


 * On a similar note, I have a template page with some JS on it and an HTML form inside a table. The last thing on the template is a line of text with a wikilink foo in it. I transclude the template using . The problem is that the wikilink is not interpreted—i.e. it prints as foo instead of foo. Suggestions? —Twisted86 21:50, 20 February 2009 (UTC)

Wonderful extension
Just wanted to say Thank you. After reading all the scary warnings on mediawiki.org about allowing html I almost gave up. I use this extension quite long now and must say it really is secure via protecting the template. Lots of things are possible using this extension. Cheerio! --Subfader 02:39, 28 January 2009 (UTC)


 * And I add my thanks, too. I originally installed it just to be able add a PayPal form, but there's lots of cool stuff I am envisioning now. Nice extension. —Twisted86 21:52, 20 February 2009 (UTC)


 * Yes it's an wonderful extension. But it's sad that there is no further development. --DaSch 23:51, 20 February 2009 (UTC)

On ThePlaz.com
Hi. I just installed your SecureHTML extension. I found two issues.

First, when I was trying to include a page which was NOT protected BUT in an EXCLUDED name space using #html. I was getting a permission error. I fixed this by modifying function getAndCheckTitle to include the following lines after checking if the title exists and before the return statement:

Second, after that, I was getting visible HTML if I included a page using #html (with both host and included page protected). To workaround, I installed ParserFunctionsHelper Extension and switched to #shtml. I don't think #html works at all, since it just dumps $text to the parser which sanitizes it. -Michael180 23:37, 23 April 2009 (UTC)

Bad HTML Tag
Hi there,

The IFRAME tag when added to a protected page causes all but the main section of that page to fail to load, which the only way to solve the problem is by going back twice in your browser and deleting the tag. Then save the page.

I would like to know if a fix will be coming out for this.
 * No problems with iframes. Are you sure you use this extension correctly? --Subfader 06:18, 25 April 2009 (UTC)

#shtml + DPL
I want to create a dropdown for a category listing its existing subcategories. So instead of listing all option tags manually (hard to update) I want to create that list using DPL. Template:SomeHTMLtemplate:   {@{CatOptions}@} On the article: The DPL code itself works. But the dropdown lists nothing or just "%TITLE%" once. Any ideas? --Subfader 03:02, 30 April 2009 (UTC)

Problems with "=" in {@{parameters}@}
Hi, I'd like to write an template to enable html-like linked images similair to Extension:LinkedImage, but with the difference that I want to enable external URLs as href. Everything works fine, but I don't find a way to include URL-parameters. If I try this on a protected Page: Test and call this template with an argument that contains an equal sign like: The result will be http://www.mediawiki.org/w/index.php?title I Think, everything to the right of "=" is interpreted as a {@{parameter-value}@} itself. Any Ideas? --WiMu 14:15, 27 May 2009 (UTC) P.S.: sorry for my lack of English
 * err it should be like this?


 * --Subfader 01:27, 2 July 2009 (UTC)
 * Sorry, got the same problem now. Fix: In SecureHTML.body.php replace

$bits = explode( '=', $e );
 * with

$bits = explode( '=', $e, 2 );
 * But this raises the next problem. & in URLs is replaces by &amp ; . I couldn't find out what causes that. Could be the parserhelper extension or the wiki markup. --Subfader 11:34, 28 March 2010 (UTC)

Getting errors
On an image page: Original exception: exception 'MWException' with message ' extension tag encountered unexpectedly' in /var/www/w/includes/parser/Parser.php:3223 Stack trace: ThePlaz 00:08, 20 July 2009 (UTC)
 * 1) 0 /var/www/w/includes/parser/Preprocessor_DOM.php(1026): Parser->extensionSubstitution(Array, Object(PPFrame_DOM))
 * 2) 1 /var/www/w/includes/parser/Parser.php(2632): PPFrame_DOM->expand(Object(PPNode_DOM), 0)
 * 3) 2 /var/www/w/includes/parser/Parser.php(875): Parser->replaceVariables(' internalParse(' parse(' parse(' outputPage(Object(OutputPage))
 * 10) 9 /var/www/w/includes/Wiki.php(345): OutputPage->output
 * 11) 10 /var/www/w/index.php(120): MediaWiki->finalCleanup(Array, Object(OutputPage))
 * 12) 11 {main}


 * The problem goes away when I kill memcached and cleared sitenotice.

There was also this when I previewed Main Page (a protected page using ) Parser->extensionSubstitution(Array, Object(PPTemplateFrame_DOM)) PPFrame_DOM->expand(Object(PPNode_DOM)) Parser->braceSubstitution(Array, Object(PPFrame_DOM)) PPFrame_DOM->expand(Object(PPNode_DOM), 0) Parser->replaceVariables('__NOED...') Parser->internalParse('__NOED...') Object(Title), Object(ParserOptions)) MediaWiki->performAction(Object(OutputPage), Object(Article), Object(Title), Object(User), Object(WebRequest)) Object(Article), Object(OutputPage), Object(User), Object(WebRequest)) I am investigating if this is related to the above sitenotice issue or possibly the hacks I described on this page in April. I remember from last April that preview would appear, but without the HTML parsed. --ThePlaz 00:25, 20 July 2009 (UTC)
 * 1) 0 /var/www/w/includes/parser/Preprocessor_DOM.php(1026):
 * 1) 1 /var/www/w/includes/parser/Parser.php(2936):
 * 1) 2 /var/www/w/includes/parser/Preprocessor_DOM.php(959):
 * 1) 3 /var/www/w/includes/parser/Parser.php(2632):
 * 1) 4 /var/www/w/includes/parser/Parser.php(875):
 * 1) 5 /var/www/w/includes/parser/Parser.php(327):
 * 1) 6 /var/www/w/includes/EditPage.php(1789): Parser->parse('__NOED...',
 * 1) 7 /var/www/w/includes/EditPage.php(1157): EditPage->getPreviewText
 * 2) 8 /var/www/w/includes/EditPage.php(469): EditPage->showEditForm
 * 3) 9 /var/www/w/includes/EditPage.php(340): EditPage->edit
 * 4) 10 /var/www/w/includes/Wiki.php(510): EditPage->submit
 * 5) 11 /var/www/w/includes/Wiki.php(63):
 * 1) 12 /var/www/w/index.php(119): MediaWiki->initialize(Object(Title),
 * 1) 13 {main}


 * No; hacks reverted and sitenotice blank. It worked when I killed memcached.  Interesting that this is occurring when memcached is on.  I suppose the app has not been tested with memcached.  Theoretically, the extension and memcached should play nice.  --ThePlaz 00:33, 20 July 2009 (UTC)

Not sure how MemCache is interacting to cause this (although I can confirm it is). The diff below fixes things though.

diff --git a/supplements/w/extensions/SecureHTML/SecureHTML.body.php b/supplements/w/extensions/SecureHTML/SecureHTML.body.php index 7109950..3f7c3c9 100644 --- a/supplements/w/extensions/SecureHTML/SecureHTML.body.php +++ b/supplements/w/extensions/SecureHTML/SecureHTML.body.php @@ -39,6 +39,10 @@ class SecureHTML */    public function hArticleSave( &$article, &$user, &$text, &$summary, $minor, $dontcare1, $dontcare2, &$flags) { return $this->process( $article ); } /** +       This hook is required for comparing the history of an article with an tag within it +     */ +   public function hDiffViewHeader( &$article, &$oldrev, &$newrev) { return $this->process( $newrev ); } +   /**          This hook is required when 'parser caching' functionality is not used. */    public function hArticleViewHeader( &$article) { return $this->process( $article ); } @@ -64,7 +68,7 @@ class SecureHTML if (!is_object( $obj )) return false; // paranoia -       if (!is_a( $obj, 'Article')) +       if (!is_a( $obj, 'Article') && (!is_a( $obj, 'Revision'))) return false; $title = $obj->mTitle; diff --git a/supplements/w/extensions/SecureHTML/SecureHTML.php b/supplements/w/extensions/SecureHTML/SecureHTML.php index a2037cc..c6849f9 100644 --- a/supplements/w/extensions/SecureHTML/SecureHTML.php +++ b/supplements/w/extensions/SecureHTML/SecureHTML.php @@ -18,7 +18,7 @@ if (class_exists( 'StubManager' )) { StubManager::createStub(   'SecureHTML',                                 dirname(__FILE__).'/SecureHTML.body.php',                                 null, -                                array( 'ArticleSave', 'ArticleViewHeader' ), +                                array( 'ArticleSave', 'ArticleViewHeader', 'DiffViewHeader' ),                                 false,    // no need for logging support                                 null,    // tags                                 array( 'html', 'shtml' ),

--bradbeattie@gmail.com 23:18, 27 August 2010 (UTC)

Not working on Main_Page
I have installed this extension along with StubManager. This extension works as expected on all pages except the Main_Page (default front page). I have tried both methods, using tags and using. Both Main_Page and code_page are edit protected as "Administrator Only". Again, the extension is working on several pages but when I try to insert HTML and JAVASCRIPT on the Main Page, I get raw code outputted instead of rendered. Any ideas?

I created a protected template, it works, but... Now I think I solved it
Hello,

I have created a template called Template:EXAMPLE.comHomeLink, with this code:

My Site Home

Saved the template page and protected it.

The link appears without the nofollow icon after it, and takes me out of my wiki to the root of my site, as I wish. (In earlier experiments I linked to an mp3 file and embedded a YouTube video on a protected Experiment page.)

I included the template with in another template of links. Over there, I see the html code instead of the link. This means that I would have to protect this template also, and I'm guessing the Wiki article itself too, that includes the links template. because I use the links template everywhere, I would have to protect every page on my wiki.

From this I understand that I am calling on the HTML parser, and my understanding is that if I were to use the shtml parser instead, I would only have to protect the "EXAMPLE.com" template?

And what do I do differently to achieve this?

Thank you for your time.

MediaWiki 1.15.1 with SecureHTML and its two dependencies installed--Well then 19:10, 31 October 2009 (UTC)


 * What exactly is your problem? Shouldn't it be ? Also, if you just want to get rid of the external link icon [[File:Icon External Link.png]] use the plainlinks fix or simply My Site Home ? --Subfader 19:53, 31 October 2009 (UTC)

Thanks for the comeback, you are right, I didn't use to call the shtml parser. I was then presented with a SecureHTML:(redlink) where I filled in the required HTML code.

Everything was working correctly, just that I needed to protect everything everywhere it was transcluded to without the extra #shtml: bit.

I am going to use it for more complex widgets, now that I have a working model.--Well then 20:10, 31 October 2009 (UTC)

Dependent extensions and LocalSettings.php
To work, the LocalSettings.php needs both of the following: require_once("MediaWiki/StubManager/StubManager.php"); require_once("MediaWiki/SecureHTML/SecureHTML.php"); I was going to add, but noticed the PEAR template... then I noticed the template has a DON'T edit this request, so I will leave my note and leave it to someone else. The PEAR template needs a 'dependent' parameter... and then the PEAR template can fix up the LocalSettings.php section with the dependent Extension (using an #if to see if the dependent parameter is set). Whee! Rururudy 05:21, 11 January 2010 (UTC)

#shtml not working even though I installed Extension:ParserFunctionsHelper
I have Extension:SecureHTML set up to give me a protected Forms: namespace. This part works as can be seen at /wiki/Forms:Profile (add this to the domain provided on my User Talk page).

However, when I try to transclude that form onto an unprotected page using, I get an "Extension:ParserFunctionHelper missing" error. See /wiki/Template:CacheSearch

The relevant lines in my LocalSettings.php file are as follows, and /wiki/Special:Version shows that all 3 extensions are installed.

What am I doing wrong? Lil Devil 18:52, 25 May 2010 (UTC)


 * I am having the same problem, and I'm not doing anything fancy like this with a custom namespace. When I do any (calling a protected template to an unprotected page - just the basic, no frills use of this) I get "Extension:ParserFunctionHelper missing.", even though I know it's installed and shows that it's installed on the Version specialpage. In fact, I can't even use  either when I protect both pages. I just get raw HTML output. The template itself looks fine, so I know it's at least partially working. Does this extension even work properly as of MediaWiki 1.15.3? Can anyone confirm? --63.249.108.250 03:57, 26 May 2010 (UTC)


 * I gave up and tried HTMLets, which looks to work great. Not crazy about having to upload every snippet I want to its own file, but it's fine for my uses for now. I like the idea of SecureHTML, but it seems to be broken. I really did try everything!--63.249.108.250 07:57, 26 May 2010 (UTC)


 * Does ParserFunctionsHelper appear on Special:Version? AFAIK Jean-Lou Dupont gave up coding for MediaWiki so we're left alone here. I can confirm it works on the recent MW 1.16 beta version. --Subfader 15:09, 26 May 2010 (UTC)


 * As I said in my original post, yes all 3 extensions do show in Special:Version. I ended up tossing out this extension and it's dependency complexity and switching to Extension:Secured_HTML which is working perfectly for me. Lil Devil 19:31, 28 May 2010 (UTC)


 * This extension worked fine up to MW 1.15.5, if think even on MW 1.16.0beta. It stopped working on MW 1.16.0 Thus I fear that this extension is outdated now. Any other experiences? Cheers --kgh 21:59, 9 August 2010 (UTC) NS I think I will swith to Extension:HTMLets thought I would prefer using this one.


 * $wgRawHtml doesn't work under 1.16.0. I notices because other extension which use $wgRawHtml also stopped working. --80.134.16.107 14:35, 14 August 2010 (UTC)


 * Ah, ok. I will try to find out and file a bug if necessary. I think using Extension:HTMLets is more advisable to use in the case of this extension anyway since it does not utilise $wgRawHtml. Cheers --kgh 22:02, 20 August 2010 (UTC)


 * I have found out that the point the variable is looked at was changed. Thus all extensions using this should be changed if no other extension doing the same or a similar job is available. --kgh 21:26, 23 August 2010 (UTC)

The HTML code is not kept once logged out (anonymous user)
Hi! First of all, thank you very much for this extension. I have succeeded in doing what I wanted (i.e. included in a template a  tag). However, once I log out, the html code is displayed as raw text. Could you please help me to make it work also for anonymous user? Thanks in advance! :-)


 * The reason seems to be that the page you inserted the code is not protected from editing for users and IPs. Thus the code is not secure. Once the page is protected it should work. You can avoid this by using HTMLets in case you do not want to protect the page. Cheers --kgh 21:21, 23 August 2010 (UTC)


 * Thank you very much for your prompt answer. I confirm that the page when the code has been inserted is also protected from editing which is reserved to administrators only. To give you more details, here is the template I have created:
 * 
 *   </a>


 * I have inserted this code:
 * And when I log out, the text appears like that:
 *  Display / Hide details </a>
 * Did I make any mistake? Just for information, I have the following permissions in my localSettings file, don't know if it has an impact on your extension:
 * $wgGroupPermissions['*']['edit'] = false;
 * $wgGroupPermissions['user']['edit'] = false;
 * $wgGroupPermissions['sysop']['edit'] = true;
 * $wgGroupPermissions['sysop']['edit'] = true;


 * Hi, sadly I am not the coder of this extension and not very experienced with coding either. :-( However I was using it happily for over a year without problems. Behaviour as you described it occurred only on occasions I forgot to protect the page. Did you perform a <tt>&action=protect</tt> on the page itself or is it just protected because you protected the page through disallowing it for users and IPs in your <tt>LocalSettings.php</tt>? I suspect it is necessary to additionally do the &action thing. Protecting the page though <tt>LocalSettings.php</tt> does not seem to be enough since the extension does not recognise it. The template used should also be protected. Hopefully this solves your problem. I will keep the fingers crossed. --kgh 21:05, 24 August 2010 (UTC)


 * Hi! Unfortunately, I have also protected both the template and the page using the "protect" tab and selecting "Admin only" in both lists. Anyway I will set $wgRawHtml to true as only admin can edit pages on my wiki. Thanks again for your kind help :)


 * That's sad. I would have loved to be of help. The last reason I can think of is, that your are on 1.16, but then I should not work either if you are logged in. Anyway cheers and all the best for your wiki project --kgh 19:30, 25 August 2010 (UTC)

Templates don't work on other pages
Hi. I created a protected template and the templates itself displays fine, but when I use the template on an article I get the raw html. What am I doing wrong? I am using mediawiki 1.16 fyi. Thanks 67.169.112.215