Extension talk:Anysite

From MediaWiki.org
Jump to navigation Jump to search

For people who think that this extension is unsafe[edit]

For people who think that this extension is unsafe: This extension allows every sites to be embedded. So, technically, well, since HTML code in iFrame tag should not be rendered by Internet engine, I don't think this is the case. Especially, virtually many sites are unsafe. My purpose for creating this extension is to embed every, every sites. If you think that you can improve this extension, please make notes in discussion page. Idea: I will work on version 2.0 which will reject any bad website and any hacking program or permission changer. — Preceding unsigned comment added by Gabeyg (talkcontribs)

This extension is not unsafe because it allows things to be shown in an iframe. It is extremely unsafe because it allows arbitrary javascript code to be injected into the page itself, thus allowing cookie theft, thus directly allowing attackers to hijack accounts. When passing things from $input to $output, the values must be strictly validated, or htmlspecialchars must be applied to them. Try something like <anyweb>"></iframe><script>alert("yum yum i eat your cookies!")</script><iframe name="anyweb" src="</anyweb>. To fix the gaping hole in this extension, use this:
$output= '<iframe name="anyweb" src="'.htmlspecialchars($input)
.'" width="'.$width.'" height="'.$height.'" frameborder="0">'.'</iframe>';
cheers -- Duesentrieb 01:57, 8 May 2007 (UTC)
Thanks to User:Duesentrieb, extension got much safer.— Preceding unsigned comment added by Gabeyg (talkcontribs)

Brilliant[edit]

works a charm - thanks soo much! i've been fluffing around with IFRAME nonscence for a whole day trying to find a workaround for it. you're a lifesaver. i can finally embed our 'easy to use' noticeboard within our intranet!

if you chuck some more search keywords (iframe wiki workaround etc.) in this page you're bound to rescue hundreds of others! =)

thnkx again - dave fear, new zealand. — Preceding unsigned comment added by 202.49.41.201 (talkcontribs)

More options[edit]

Options to specify iframe width, height, and border would be nice in order to not have to force global settings for every embed. —Eep² 11:27, 20 August 2007 (UTC)

OK, I will make new version to be able to choose that. --Gabeyg 11:46, 24 August 2007 (UTC)


Feature suggestion[edit]

I missed some easy resize options per page, so here's a new version which lets users specify height and width :

  <?php
  # Minseong Extension
  # extended by id.facyla.net
  # Tag :
  #   <anyweb>website</anyweb>
  #   and also <anyweb>website|width</anyweb> or <anyweb>website|width|height</anyweb>
  # height & width : use the unit you want : %, px, em, pt, ex.. 
  # Ex :
  #   from url http://aurora1.sourceforge.net
  #   <anyweb>http://aurora1.sourceforge.net</anyweb>
  # 
  # Enjoy !
  $wgExtensionFunctions[] = 'wfanyweb';
  $wgExtensionCredits['parserhook'][] = array(
    'name' => 'anysite extension',
    'description' => 'Display sites through iframe',
    'author' => 'Minseong Kim',
    'url' => 'http://gabeyg.myi.cc/'
    );
 
  function wfanyweb() {
    global $wgParser;
    $wgParser->setHook('anyweb', 'renderanyweb');
  }
 
  # The callback function for converting the input text to HTML output
  function renderanyweb($input) {
    $input = htmlspecialchars($input);
    $width = "100%";
    $height = "500px";
    $fields = explode("|",$input);
    if (isset($fields[0])) {
      $url = $fields[0];
      if (isset($fields[1])) {$width = $fields[1];}
      if (isset($fields[2])) {$height = $fields[2];}
      $output = '<iframe name="anyweb" src="'.$url.'" width="'.$width.'" height="'.$height.'" frameborder="0">'.'</iframe>';
      return $output;
    }
  }
  ?>

++

~facyla~

Resize option[edit]

I made a few changes to get the iframe resize itself. Setting the width to 100% takes care of the horizontal scroll bar. Anysite.php code edit:

# The callback function for converting the input text to HTML output
function renderanyweb($input) {
        $output= '<iframe id="anyweb" name="anyweb" src="'.htmlspecialchars($input).'" 
style="position:relative;top:0px;left:0px;width:100%;overflow:auto;border:none;border-bottom:1px black solid" allowtransparency="true">>'.'</iframe>';                    
        return $output;

If you have content from the same domain you can access the parent document and resize the frame dynamically by adding a script to the iframe document. Iframe document code addition (see http://www.diplok.com/1ppl/html/article093.html):

<script>
 i = parent.document.getElementById("anyweb");
 iHeight = document.body.scrollHeight;
 i.style.height = iHeight + 5 + "px"; 
</script>

If you don't have control over the content in the iframe you will have to add hieght:NNNpx; to the php code edit.
Cheers, Wade — Preceding unsigned comment added by 205.230.28.193 (talkcontribs)

Safe?[edit]

How is this safe? Can't javascript be inserted into the page that is shown and all kinds of nefarious things be done with it? — Preceding unsigned comment added by 65.89.233.43 (talkcontribs)

I admit to not being a guru when it comes to security. I would applicate a bit of info on how this is "Safe" as its tag line says it is. --Vaccano 16:27, 5 November 2007 (UTC)
Because I really wanted to use this extension I did some research and found that iFrames do not protect you from the content within them. Use this extension only if you trust everyone who can edit your wiki to know better than to include bad pages (something rarely possible). Otherwise you are opening up your Wiki (and anything your wiki users can access) to nefarious activity.
A better option (though not fool proof) is Extension:Secure HTML or its similar editing rights based counterparts. --Vaccano 19:04, 28 January 2008 (UTC)
I don't agree. Please see the main page for this extension. --Gabeyg 07:30, 28 December 2008 (UTC)

Would anyone work for me?[edit]

I allow anyone to change the source code of this extension. But if i find the code to make this extension instable, i will remove it. — Preceding unsigned comment added by Gabeyg (talkcontribs)

I can't use this...[edit]

It just shows <anyweb>http://www.google.com</anyweb> — Preceding unsigned comment added by 85.228.121.73 (talkcontribs)

Same Here. It does not work.--Amglez 16:38, 28 January 2008 (UTC)
Same with me. Odessaukrain 02:29, 30 March 2008 (UTC)
Did you modify the LocalSettings.php file to include the script ? (see Installation instructions) ~facyla~

coding not complete?[edit]

Hi, This seems a very useful extension but the code-example seems not complete (anymore?) — Preceding unsigned comment added by 171.21.80.126 (talkcontribs)

Requesting that this extenstion be protected or deleted[edit]

Gabeyg removed negative warnings on this page[1]

Gabeyg deleted a serious warning template on Extension:Anysite twice.

This extension is obviously not stable. Yet the creator lists it as stable.

  1. I am requesting that this extension be deleted or protected.
  2. I restored the serious template warning.
  3. I changed the status from stable to experimental.
  4. I restored the comments Gabeyg deleted.
  5. I think Gabeyg should be warned.

Odessaukrain 03:01, 30 March 2008 (UTC)

For some parts, you are mistaken. For some parts, I am definitely sorry that I failed to maintain and revise this extension. --Gabeyg 07:31, 28 December 2008 (UTC)

Works a charm ...[edit]

Hi, I'm now using this extension since some month (at nearly every page) and until today I couldn't notice any problems. I'm not a coder/programer, so I have no clue if this extension is now safe or not (I'm unable to follow all the undated postings above). So all I can say is, that this extension "works a charm" for me - so far (I'm using MW 1.12). I hope I can see soon some new comments or maybe some improvements for this extension from its creator (Gabeyg) or any helpers or users of this extension, because this extension is definitely great and very EASY to use ... BTW - For the last posters above: I have just compared my extension code-file with the current code on the extension site. As far I can see - nothing has changed. So I wonder why you can't get the extension to work ...

--80.109.228.11 02:26, 22 April 2008 (UTC)

Hi
Great extension! Works with MW 1.13 and 1.15 without any changes in the code - Thanks --Teamghost 08:27, 19 June 2009 (UTC)

Clear Thing about XSS comment[edit]

For non-coders: I added htmlspecialchars to prevent XSS attacks, and I appreciate your concerns. Dear Odessaukrain, if you have a problem with this extension. PLEASE ASK. Don't be so mad like a gorilla. Please ask before you say "Oh yes. SecureHTML is superior." Yes, I know that SecureHTML is more secure than Anysite, but less versatile than Anysite. And, unfortunately, htmlspecialchars functions prevent most of XSS attacks (and that's why this function is made. See PHP manual for this.)

P.S. I am currently busy doing many stuffs. After 3 months, I will return and continue to revise, I promise.

Thanks and cheers, User:Gabeyg

Error After adding Anysite[edit]

Hello, I seem to be getting an error as soon as Anysite is installed, using 1.12. The error I receive is:

Warning: Cannot modify header information - headers already sent by (output started at /home/tf17co/public_html/wiki/extensions/anywebsite.php:1) 
in /home/tf17co/public_html/wiki/includes/WebResponse.php on line 10

As soon as I disable the Anysite extension in LocalSettings.php, it works fine. I have never edited WebResponse.php. Any help would be appreciated. --70.69.63.80 18:07, 22 June 2009 (UTC)

xxxxxxxxxxxxxxxxx

Maybe too late for the one who posted this error, but maybe of help for others
You have to make sure that there are no blanks or blank lines at the beginning or end of your anywebsite.php. I had the same problem. After deleting the blanks the error disappeared.

Vertical scrollbar[edit]

How do I get rid of the vertical scrollbar? I want the page to blend in so people won't actually know i'm attaching another page. I tried putting the height to 100% and higher but the scroll bar is still there. THanks --Bluesoju 14:48, 13 January 2010 (UTC)

embeded Sites breaking out to parent[edit]

Now, is there a posibility to let pages in the frame not brake out to the full site?

Error notices: Undefined index[edit]

I have updated to XAMPP 1.7.7 with PHP 5.3.8 and MediaWiki 1.17.0 and now I get the following error notices:

Notice: Undefined index: mywidth in ...\extensions\anywebsite.php on line 19
Notice: Undefined index: myheight in ...\extensions\anywebsite.php on line 22

What to do? --WikipediaMaster 19:50, 8 October 2011 (UTC)

You either turn of Notices in you php configuration, or you supply mywidth and myheight like this <anyweb myheight="500" mywidth="800">URL HERE</anyweb>

My own hack, using CSS[edit]

<?php
# Minseong Extension
# 
# Tag :
#   <anyweb>website</anyweb>
# Ex :
#   from url http://aurora1.sourceforge.net
#   <anyweb>http://aurora1.sourceforge.net</anyweb>
#   <anyweb mywidth="800" myheight="600">http://my.server.com/</anyweb>
# 
# Enjoy !
$wgExtensionFunctions[] = 'wfanyweb';
$wgExtensionCredits['parserhook'][] = array(
        'name' => 'anysite extension',
        'description' => 'Display sites',
        'author' => 'Minseong Kim, Heinrich Krebs and Others',
        'url' => 'http://www.mediawiki.org/wiki/Extension:Anysite'
);
 
function wfanyweb() {
        global $wgParser;
        $wgParser->setHook('anyweb', 'renderanyweb');
}
 
# The callback function for converting the input text to HTML output
function renderanyweb($input, $argv) {
		$style = 'style="';
		if (isset($argv['style'])) {
                $style .= $argv['style'];
        } else {
                return "No CSS-Style Argument was given to anyweb!";
        }
		if (0 == substr_count ( $style, "height:"))
		{
			$style .= "height:800px; ";
		}
		if (0 == substr_count ( $style, "width:"))
		{
			$style .= "width:500px; ";
		}
		if (0 == substr_count ( $style, "border")) //Don't look for "border:" as border might be definded with separate attributes like border-width, border-style etc.
		{
			$style .= "border:0px; ";
		}
		$style = trim($style).'"';

		$output= '<iframe name="anyweb" src="'.htmlspecialchars($input).'" '.$style.'>'.'</iframe>';
        return $output;
}
?>

Templates inside URL[edit]

Hi,

I cant use mediawiki templates inside the <anyweb></anyweb> tags. For example: <anyweb>Template:SomeTemplate/index/info.php</anyweb> does not work. Is there any possibility to use templates in anyweb ?

Best regards, Marten