I am trying to make Widget:Iframe more secure, by validating an entered url against a list of whitelisted urls inside the MediaWiki-namespace. The widget itself allows any url, but it seems impossible to do something more secure that this widget already did, without hacking a file on the server or using parserfunctions. Allowing parserfunctions would make it possible to make even more advanced widgets, but might be a little tricky.
Version: unspecified
Severity: enhancement
| Title | Reference | Author | Source Branch | Dest Branch | |
|---|---|---|---|---|---|
| Perform clamping only on the specified source port | repos/sre/tcp-mss-clamper!2 | vgutierrez | filter-by-port | main | |
| Provide basic functionality | repos/sre/tcp-mss-clamper!1 | vgutierrez | basic-functionality | main |
Can you give a hypothetical example using parserfunctions? I'm not sure I understand how that would work.
sergey.chernyshev wrote:
I think the intended use is to add more logic within widgets using MW's internal functions, e.g. getting a full URL of the article, validating if article exists, getting Article ID and so on.
This all can be done when wrapped in the template, but when it's a question of security, all that becomes an issue as there is no way to restrict the use of the widget (and I don't know how it can be reasonably done).
I'd say Widgets extension should not be solving security more then common XSS issues - if something more complex needed, regular extension should be written.
Widgets was only intended to replace a ton of simple extensions who's sole purpose was to insert "widgety" code and substitute some parameters in a way that would be challenging for Templates.
That being said, if somebody knows a smart and simple way to make this happen, I can take a look myself, or help someone who wants to volunteer.
Yes, putting parser functions, or any other kind of wikitext, within widget code seems like a bad idea, if it's even feasible. I am marking this as "Declined", at long last.