Manual talk:$wgRawHtml

Jump to navigation Jump to search

Ehmm... who has written this Crap ? There is a Link to $wgGroupPermissions with no Instructions how to do it.

Can somebody please rewrite this Instructions how (?) to enable <html> at locked Sites?

You do it exactly the same way, set $wgRawHtml to true. The bit about $wgGroupPermissions is to limit editing of the wiki to known / responsible users. Otherwise anybody can come along and insert what ever HTML code they like into your pages. Bit of a security problem that ;-) --Dr DBW | talk 22:45, 26 September 2007 (UTC)

"This is very dangerous"[edit]

The warning "This is very dangerous on a publicly editable site" is unspecific. Why is it dangerous? Does it for example enable an exploit that would let someone hack into the MediaWiki site? Or does it merely allow Javascript that would allow a malicious person to harm a user's computer if they run it. -- Cabalamat 20:24, 23 October 2008 (UTC)

It allows javascript, which in turn allows people to steal cookies and by that hijack sessions. If you manage to do that with an admins session, you can severely damage the wiki. Allowing users to add JavaScript that is run by other users basically means any user can hijack any other user's account.
Full HTML also allows for inclusion of flash or java applets, which may open the wiki for additional attacks. -- Duesentrieb 21:36, 23 October 2008 (UTC)
I think that the article should tell the reasons why allowing raw HTML is bad. Specifically, it should mention Javascript attacks, XSS, etc. --Lance E Sloan 12:15, 27 October 2008 (UTC)
added a link to w:en:Session_hijacking -- Duesentrieb 15:08, 27 October 2008 (UTC)
Yeah I just stuck Template:XSS alert on here too, which makes things very clear ...and very yellow. Maybe a bit over the top.
The XSS FAQ seems like a good explanation of the issues.
-- Harry Wood 15:14, 27 October 2008 (UTC)
Looks good! I think it really gets the point across now. --Lance E Sloan 16:03, 27 October 2008 (UTC)
I see {{XSS alert}} as a temporary tag for extensions that just need to be fixed. Let's not punish our readers with it on a manual page. :) —Emufarmers(T|C) 01:49, 28 October 2008 (UTC)
Is that really what the template's intended for? It didn't mention anything about extensions and it seemed to fit the context of the article for this raw HTML feature. We really do need something to grab the attention of users so they know that using this is a very bad idea. --Lance E Sloan 02:04, 28 October 2008 (UTC)
It categorizes articles in Extensions with XSS vulnerabilities. The article has a single line explaining what the setting does; the rest of the article explains why you shouldn't change it and gives alternatives. The red warning exclamation mark is good. —Emufarmers(T|C) 02:14, 28 October 2008 (UTC)

<style> tags filtered out[edit]

it doesn't see to allow "RAW" unfiltered html.. it filters out style tags for instance.. or they're filtered out somewhere along the line.. --Frantik 08:15, 12 July 2009 (UTC)

Appears not to work in version 1.16.0[edit]

-- 14:11, 14 August 2010 (UTC)

I think a bug should be filed as a result. However there seem to be security issues connected with this. I will try to find out and file a bug if necessary. Cheers --kgh 21:59, 20 August 2010 (UTC)
I have found out that the point the variable is looked at was changed. Thus all extensions using this should be changed if no other extension doing the same or a similar job is available. I have been advised to avoid $wgRawHtml if possible. Cheers --kgh 21:36, 23 August 2010 (UTC)

This bloody thing doesn't work in 1.15 either![edit]