Extension:SecureInclude

**MediaWiki extensions manual**
SecureInclude; Release status: stable
Implementation	Tag
Description	Include external static content from the local file system, a remote URL, or SVN. External content can be included or embedded as an iframe.
Author(s)	Edesoltalk
Latest version	2.1.1 (2026-01-09)
MediaWiki	1.25+
Database changes	No
	Parameters [see documentation]
	Hooks used ParserFirstCallInit;
Licence	GNU General Public License 3.0 or later
Download	GitHub: project page; git repository URL; commit history; ; Note:; No localisation updates are; provided by translatewiki.net.

Warning:

Using this extension can result in severe security holes! Know what you are doing! Activating the feature noesc can result in XSS attacks. Activating local file sources can allow users to view local files of the web server, potentially containing confidential data and passwords. Allowing to shell or php code poses a security risk by itself.

A few introductory remarks

SecureInclude is basically the original Include Extension fixed up to do Syntaxhighlighting again and some more. It provides the parser extension tag <include> and the new tags <shell>, <php>.

The steps to enable SyntaxHighlighting differ slightly now.

Step 1.

install SyntaxHighlighting as described in Extension:SyntaxHighlight#Installation

Step 2.

add <include> tag using <syntaxhighlight> attributes (as documented on Extension:SyntaxHighlight#Parameters) eg.

<include src="./tmp/duply.sh" lang="bash" line nocache nopre/>

Documentation

The best documentation for now is in the header of secure-include.php.

Installation

You can either clone the git repo

cd extensions/
git clone https://github.com/edeso/SecureInclude

or

Download the latest version zipped and place the file(s) in a directory called SecureInclude in your extensions/ folder.

Add the following code at the bottom of your LocalSettings.php file:

wfLoadExtension( 'SecureInclude' );
## to include local paths requires to uncomment the following line
//$wg_include_allowed_features['local'] = true;
## you should limit the base path for inclusions 
## NOTE: you can use variables, relative and absolut paths
/*
$wg_include_allowed_parent_paths = [
  $_SERVER['DOCUMENT_ROOT'] . '/extensions',
  './tmp/',
  '/home/dup'
];
*/
## you should definitely prohibit some sensitive files
$wg_include_disallowed_regex = [
  '/.*LocalSettings.php/',
  '/.*\.conf/',
  '/.*\/\.ht/'
];
## including remote URLs requires to uncomment the following line
// $wg_include_allowed_features['remote'] = true;
## you should limit which urls are accessible
//$wg_include_allowed_url_regexp = array('/^http:\/\/.*$/');
## you can prohibit urls by setting the following
/*
$wg_include_disallowed_url_regexp = [ 
  '/^.*:\/\/intranet/' 
];
*/
## several security sensitive features need to be enabled explicitly
//$wg_include_allowed_features['noesc'] = true;
//$wg_include_allowed_features['highlight'] = true;
//$wg_include_allowed_features['shell'] = true;
/*
$wg_include_allowed_checksums['shell'] = [ 
 'CHECKSUM1', 
 'CHECKSUM2' 
];
*/
//$wg_include_allowed_features['php'] = true;
/*
$wg_include_allowed_checksums['php'] = [ 
 'CHECKSUM1', 
 'CHECKSUM2' 
];
*/

Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.