Extension:IframeTag
 Release status: stable |
|
|---|---|
| Implementation | Tag, Special page |
| Description | IFrame that allows administrators to restrict iframes to certain sites. |
| Author(s) | Mark A. Hershberger (MarkAHershbergertalk) |
| Latest version | 1.0.3 (2018-08-06) |
| MediaWiki | 1.31+ |
| Database changes | No |
| Composer | mediawiki/iframe-tag |
| License | GNU General Public License 3.0 |
| Download | GitHub: Note: https://github.com/hexmode/mediawiki-iframe/blob/master/README.org |
|
|
|
This extension allows you use iframe tags in your wiki and makes some attempt to validate the URLs being embedded in iframes. Your wiki admins will be able to use a page in the MediaWiki namespace to update the list of allowed URLs.
As of this writing, only the following attributes are supported:
- src
- Address of the resource
- height
- Vertical dimension
- width
- Horizontal dimension
- allowfullscreen
- Whether to allow the iframe's contents to use requestFullscreen()
- style
- This is the only global attribute that is supported. It is implemented via the base tag builder class.
Installation[edit]
You can install the extension by using composer at the root of your wiki instance:
COMPOSER=composer.local.json composer require --no-interaction --no-update mediawiki/iframe-tag
composer update --no-progress --no-interaction --no-dev --optimize-autoloader
Then add the following to your LocalSettings.php:
wfLoadExtension( 'IFrameTag' );
Or, if you prefer to have the configuration of the allowed hosts made directly in LocalSettings.php and not in the special page:
wfLoadExtension( 'IFrameTag' );
$iFrameOnWikiConfig=false;
$iFrameDomains = [
'one.example.com',
'two.example.com',
'three.example.com'
];
Configuring the allowed hosts[edit]
Currently, host name matching is done based on the full domain name. If a list of names is allowed hosts is given in the configuration and the host in the src attiribute of the iframe tag is not on the configured list of hosts, then the iframe tag is not shown on the wiki.
There are two methods for configuring permissible domains.
On Wiki configuration[edit]
This method is enabled by default, but if you do not want your administrators changing the list of allowed domains, you can set $iFrameOnWikiConfig to false:
$iFrameOnWikiConfig=false;
If you leave the method enabled, people with the editsitejson (administrators and interface administrators by default) will be able to change the value of MediaWiki:IFrame-cfg.json. To authorize the only three domains, the following would be used:
{
"domains": [
"one.example.com",
"two.example.com",
"two.example.com"
]
}
PHP Configuration[edit]
This is the familiar "set a PHP variable in your LocalSettings.php" method.
In your LocalSettings.php, add a setting for the variable $iFrameDomains that contains an array of domains that are allowed. For example:, to authorize the same three domains as are in the above wiki configuration.
$iFrameDomains = [
'one.example.com',
'two.example.com',
'three.example.com'
];
How the tag is parsed[edit]
The src attribute is parsed using PHP's parse_url. The schema is verified as safe (only http, https and ftp are allowed), the URL's domains are checked against a list of allowed urls (if specified), any specified port is added, as is any path, query string (the part following ?) or fragment (the part following #).
If problems are found with when parsing the iframe tag attributes, that attribute is skipped, notes about what went wrong are they are inserted into the page output as HTML comments.
If the src attribute has a problem, then the iframe tag is skipped and the author will have to check the html source to find any problems.