[Wiktionary-l] Doing things we used to be able to do, in the new upgrade
Brion Vibber
brion at pobox.com
Wed Dec 22 00:32:29 UTC 2004
On Dec 21, 2004, at 6:20 AM, Muke Tever wrote:
> Now, you help me. :p It used to be that a few wiktionaries edited
> [[MediaWiki:Copyrightwarning]] to allow users to click and insert
> necessary special characters... but it seems it is no longer possible
> to insert the script (/style/wikibits.js) to allow this. Is there a
> workaround, or a better way to do it now, or will it just have to
> revert to a copy-and-paste plain-text list?
Arbitrary HTML and JavaScript in the MediaWiki: messages is dangerous,
and is something that's being phased out. There are a couple reasons
for this.
The first is security: on our larger sites we have literally *hundreds*
of sysops with permissions to edit these messages. With those numbers,
it's hard to assign sufficient 'trust'; even if we believe every one of
them to be upstanding, well-meaning individuals the likelihood of a
compromised account increases with every new sysop. If a broken-into
(or malicious) sysop account can be used to add arbitrary HTML or
JavaScript code, it could be used to exploit security vulnerabilities
in web browsers or more simply attack and subvert the wiki accounts of
other users. Such an attack might be found and reverted immediately, or
it might attack dozens or hundreds -- or thousands -- of visitors
before being stopped.
The second is robustness: accidentally or maliciously placed invalid
HTML could break the site. As the web moves towards more XML (which is
very strict about proper markup syntax) it can become difficult to
recover from such a breakage without manual intervention.
There's still a lot of places with raw HTML in messages, so it's an
ongoing process. Text fragments are being moved to either plaintext or
wikitext, depending on their use and purpose. (Paragraph-level blocks
such as the copyright warning are generally wikitext.)
It would probably be worthwhile to write up the special character
inserter as a MediaWiki extension -- then it could be inserted into the
wikitext message in a safe, secure way.
-- brion vibber (brion @ pobox.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.wikimedia.org/pipermail/wiktionary-l/attachments/20041221/4c1c272d/attachment.pgp
More information about the Wiktionary-l
mailing list