Last modified: 2014-02-12 23:40:07 UTC
Would be helpful for displaying RSS feeds from the Wikimedia Blog in the community portal & main page.
I think this is a change that shouldn't require community consensus as it's a non-controversial enhancement request, but others may disagree and ask that you first gather local community consensus. I think enabling the RSS extension on all Wikimedia wikis for the Wikimedia blog might be nice. I don't really want to see a request next week for Meta-Wiki, outreach.wikimedia.org the following week, etc. Enabling the extension everywhere would reduce paperwork, in theory.
From <https://noc.wikimedia.org/conf/InitialiseSettings.php.txt>: --- 'wmgUseRSSExtension' => array( 'default' => false, 'foundationwiki' => true, 'mediawikiwiki' => true, 'uawikimedia' => true, ), 'wmgRSSUrlWhitelist' => array( 'default' => array(), // as of Ext:RSS v2, this means no URLs are allowed. 'uawikimedia' => array( 'http://wikimediaukraine.wordpress.com/feed/' ), 'foundationwiki' => array( 'http://blog.wikimedia.org/feed/', 'http://blog.wikimedia.org/c/our-wikis/wikimediacommons/feed/', 'http://blog.wikimedia.org/c/communications/picture-of-the-day/feed/', ), 'mediawikiwiki' => array( 'https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/extensions/Translate.git&a=rss', 'http://blog.wikimedia.org/feed/', ), ), ---
(In reply to comment #1) > I think enabling the RSS extension on all Wikimedia wikis for the Wikimedia > blog might be nice. I don't really want to see a request next week for > Meta-Wiki, outreach.wikimedia.org the following week, etc. Enabling the > extension everywhere would reduce paperwork, in theory. Currently, $wgRSSUrlWhitelist needs to be modified for every feed that is used. So it seems unlikely that enabling it everywhere would reduce the number of shell requests. The code says: // Warning: Allowing all urls (not setting a whitelist) // may be a security concern. ... // include "*" if you expressly want to allow all urls (you should not do this) So it would seem that every request for addition to $wgRSSUrlWhitelist needs to be carefully reviewed for security.
(In reply to comment #3) > Currently, $wgRSSUrlWhitelist needs to be modified for every feed that is > used. So it seems unlikely that enabling it everywhere would reduce the number > of shell requests. Sure, an on-wiki configuration system would be better. That said, comment 0 and comment 1 both specifically refer to the Wikimedia blog (<https://blog.wikimedia.org>). I think enabling the RSS extension and whitelisting only blog.wikimedia.org for all Wikimedia wikis might save some headache/hassle. > So it would seem that every request for addition to $wgRSSUrlWhitelist needs > to be carefully reviewed for security. Hmm, I wonder why this is.
(In reply to comment #4) > > So it would seem that every request for addition to $wgRSSUrlWhitelist needs > > to be carefully reviewed for security. > > Hmm, I wonder why this is. It formats the HTML in blog posts, I'm sure you can understand why that is a issue.
(In reply to comment #5) > (In reply to comment #4) > > > So it would seem that every request for addition to $wgRSSUrlWhitelist needs > > > to be carefully reviewed for security. > > > > Hmm, I wonder why this is. > > It formats the HTML in blog posts, I'm sure you can understand why that is a > issue. If the HTML were filtered then the extension could be more generally useful.
(In reply to comment #5) > (In reply to comment #4) > > > So it would seem that every request for addition to $wgRSSUrlWhitelist needs > > > to be carefully reviewed for security. > > > > Hmm, I wonder why this is. > > It formats the HTML in blog posts, I'm sure you can understand why that is a > issue. (I will just note what I dropped in the IRC channel) <p858snake|l_> TimStarling: actually it might not format html, I was reading the extension page and it looks like I was getting confused with it "Format Links" and "Format Images" option <p858snake|l_> Susan: ^ <p858snake|l_> but would probably want to make sure its cache setup is setup properly before you do it clusterwide <Susan> I assumed it sent raw HTML through the MediaWiki parser/sanitizer. <Susan> But only because that seemed like the only sane thing to do. No idea if it actually does. <Susan> I suppose sanitizing <a> would be problematic.
Not ready for shell because of security considerations + needs consensus -> shellpolicy.