Last modified: 2011-12-27 06:11:34 UTC
I am trying to make Widget:Iframe more secure, by validating an entered url against a list of whitelisted urls inside the MediaWiki-namespace. The widget itself allows any url, but it seems impossible to do something more secure that this widget already did, without hacking a file on the server or using parserfunctions. Allowing parserfunctions would make it possible to make even more advanced widgets, but might be a little tricky.
Can you give a hypothetical example using parserfunctions? I'm not sure I understand how that would work.
I think the intended use is to add more logic within widgets using MW's internal functions, e.g. getting a full URL of the article, validating if article exists, getting Article ID and so on. This all can be done when wrapped in the template, but when it's a question of security, all that becomes an issue as there is no way to restrict the use of the widget (and I don't know how it can be reasonably done). I'd say Widgets extension should not be solving security more then common XSS issues - if something more complex needed, regular extension should be written. Widgets was only intended to replace a ton of simple extensions who's sole purpose was to insert "widgety" code and substitute some parameters in a way that would be challenging for Templates. That being said, if somebody knows a smart and simple way to make this happen, I can take a look myself, or help someone who wants to volunteer.
