Extension talk:MscGen

Add topic
From mediawiki.org
Latest comment: 16 years ago by Juliano in topic Patched for cross site scripting attack
The following discussion has been transferred from Meta-Wiki.
Any user names refer to users of that site, who are not necessarily users of MediaWiki.org (even if they share the same username).

Cool - I like it! -- Mike


I'd love to see some examples of this in action. -- 22:03, 15 December 2006 (UTC)Reply

see here -- 17:48, 19 December 2006 (UTC)Reply

Another Approach to Graph generation[edit]

There is a generic graph layouter called aiSee. I built an interface for it and called it Extension Wgraph. In case somebody is reading this I would be interested in feed-back and comparison with MscGen.

Algorithmix 15:30, 22 July 2007 (UTC)Reply

One installed, the following block will render an image with msc. (MSC isn't installed here, so it doesn't actually work). Note that you need to have both the <mscgen> tag and the msc {} brackets.

msc {

  a->b  [label="ab()"] ;
  b->c  [label="bc(TRUE)"];
  c=>c  [label="process(1)"];
  c=>c  [label="process(2)"];
  c=>c  [label="process(n)"];
  c=>c  [label="process(END)"];
  a<<=c [label="callback()"];
  ---   [label="If more to run", ID="*"];
  a->a  [label="next()"];
  a->c  [label="ac()"];
  b<-c  [label="cb(TRUE)"];
  b->b  [label="stalled(...)"];
  a<-b  [label="ab() = FALSE"];

XSS vulnerability[edit]

I've marked the extension as having an XSS vulnerability.

The offending code is:

        $cmdline = wfEscapeShellArg( $wgMSCSettings->mscgenCommand) .
          " -T png -o " . wfEscapeShellArg( $fname. ".png") . " " .
          " -i " . wfEscapeShellArg( $fname ) . " 2>&1  >" . wfEscapeShellArg( $fname. ".err") . " && rm " . wfEscapeShellArg( $fname. ".err");
    @$err=file_get_contents( $fname.".err" );
    if ( $err != "" ) {
        $txt = "<div id=\"toc\"><tt>$err</tt></div>";
    } else {

The mscgen executable receives data input directly from the user. If the input data is malformed, mscgen may complain about syntax errors (which are stored in $fname.".err") containing pieces of the data read from the input. This error output is passed directly to the output of the page.

If the user input contains some broken syntax including javascript code, that makes mscgen complain and output as a error message, this javascript is potentially included on the output, putting readers at risk.

You should properly sanitize the contents of $err before sending it as the output of the extension.

Remove the XSS-alert tag after you have fixed this issue.

By the way, avoid using id="toc", or any other id= tag for that matter. XML id's are supposed to be unique, and the "toc" ID already have a well defined use for the output generated by Mediawiki.

--Juliano 18:21, 21 April 2008 (UTC)Reply

Patched for cross site scripting attack[edit]

I did a blind (untested) patch for the cross-site scripting attack. As I am no longer actively developing it, would someone please test it?

br, Ruud

Hello Ruud,
It seems fine now. I removed the XSS-alert tag.
Best regards, --Juliano 13:05, 3 May 2008 (UTC)Reply


I'm new at this. How can i set members of $wgGraphVizSettings? Do i need to put it in localsettings.php like below code:

$wgGraphVizSettings['*'] = true;