A couple quick things which I noticed in CategoryTree yesterday and want to make
sure people are aware of in general:
First, if you use any global variables, set them first! If a site has PHP's
register_globals option on (not recommended, but sometimes on for compatibility)
it's possible to set arbitrary global variables to string or array-of-string
values from any HTTP request.
So something like this is unsafe:
if ( !isset( $wgCategoryTreeMaxChildren ) ) $wgCategoryTreeMaxChildren = 200;
since it allows the other end of the HTTP connection to pass something like
&wgCategoryTreeMaxChildren=1000000 and flood the server with some request. Other
settings might be more dangerous, such as a command line or SQL fragment.
Instead, just set it directly:
$wgCategoryTreeMaxChildren = 200;
The site admin can customize the setting in LocalSettings.php after the
inclusion of the extension file.
Second, beware of CSS. There are various exciting ways you can abuse it,
including the use of inline JavaScript expressions in Internet Explorer. (It may
also be possible to attach XBL/XUL stuff in Firefox.) This opens up scripting
vulnerabilities and could be used to steal cookies or take over a login session.
The Sanitizer::validateTagAttributes() function is available to whitelist HTML
attributes for a given tag and clean up blacklisted CSS bits. To let
user-supplied CSS style attributes through on your tag, you should run it
through something like this:
$divAttribs = Sanitizer::validateTagAttributes( $argv, 'div' );
You can then either pick out just the style attribute (if present) or pass
through all the attributes that MediaWiki would have allowed on a <div> in wikitext.
-- brion vibber (brion @ pobox.com)
An automated run of parserTests.php showed the following failures:
Running test TODO: Table security: embedded pipes (http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034637.html)... FAILED!
Running test TODO: Link containing double-single-quotes '' (bug 4598)... FAILED!
Running test TODO: Template with thumb image (with link in description)... FAILED!
Running test Template infinite loop... FAILED!
Running test TODO: message transform: <noinclude> in transcluded template (bug 4926)... FAILED!
Running test TODO: message transform: <onlyinclude> in transcluded template (bug 4926)... FAILED!
Running test BUG 1887, part 2: A <math> with a thumbnail- math enabled... FAILED!
Running test TODO: HTML bullet list, unclosed tags (bug 5497)... FAILED!
Running test TODO: HTML ordered list, unclosed tags (bug 5497)... FAILED!
Running test TODO: HTML nested bullet list, open tags (bug 5497)... FAILED!
Running test TODO: HTML nested ordered list, open tags (bug 5497)... FAILED!
Running test TODO: Parsing optional HTML elements (Bug 6171)... FAILED!
Running test TODO: Inline HTML vs wiki block nesting... FAILED!
Running test TODO: Mixing markup for italics and bold... FAILED!
Running test TODO: 5 quotes, code coverage +1 line... FAILED!
Running test TODO: HTML Hex character encoding.... FAILED!
Running test TODO: dt/dd/dl test... FAILED!
Passed 412 of 429 tests (96.04%) FAILED!
I use mediawiki on a lot of sites which have minimal traffic.
It's very time consuming to go click through things on the "Recent
Changes" page to check for spam & vandalism.
What would make it easier to quickly detect is a "Recent Changes diff
page". I'm thinking something that just shows the wiki diff for
several pages at once.
For example on this page:
http://www.mediawiki.org/w/index.php?title=Documentation&diff=prev&oldid=31…
Now just imagine that after the diff part on that page, instead of
having: "Revision as of 18:36, 19 June 2006" and then the page itself,
it would just have the next recent diff.
This would make it much easier to review lots of recent changes
(50/100/250 at a time).
It would also be useful if this activity could be coordinated.
"Trusted" or formally registered users could mark the anonymous
submissions as reviewed. The the time of good people wouldn't be
wasted on duplicate effort looking for bad stuff.
An option to email a daily or weekly diff formatted with the pretty
mediawiki html output would also be a great feature.
Any hints as to how I might go about trying to implement this?
Maybe: includes/RecentChange.php & includes/DifferenceEngine.php ?
Are there any hooks available planned that are called right before or
after article is displayed in HTML? They'd be useful to have around to
display HTML before or after the contents of an article.
Travis
An automated run of parserTests.php showed the following failures:
Running test TODO: Table security: embedded pipes (http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034637.html)... FAILED!
Running test TODO: Link containing double-single-quotes '' (bug 4598)... FAILED!
Running test TODO: Template with thumb image (with link in description)... FAILED!
Running test Template infinite loop... FAILED!
Running test TODO: message transform: <noinclude> in transcluded template (bug 4926)... FAILED!
Running test TODO: message transform: <onlyinclude> in transcluded template (bug 4926)... FAILED!
Running test BUG 1887, part 2: A <math> with a thumbnail- math enabled... FAILED!
Running test TODO: HTML bullet list, unclosed tags (bug 5497)... FAILED!
Running test TODO: HTML ordered list, unclosed tags (bug 5497)... FAILED!
Running test TODO: HTML nested bullet list, open tags (bug 5497)... FAILED!
Running test TODO: HTML nested ordered list, open tags (bug 5497)... FAILED!
Running test TODO: Parsing optional HTML elements (Bug 6171)... FAILED!
Running test TODO: Inline HTML vs wiki block nesting... FAILED!
Running test TODO: Mixing markup for italics and bold... FAILED!
Running test TODO: 5 quotes, code coverage +1 line... FAILED!
Running test TODO: HTML Hex character encoding.... FAILED!
Running test TODO: dt/dd/dl test... FAILED!
Passed 412 of 429 tests (96.04%) FAILED!
On Thu, Jul 27, 2006 at 12:05:57AM -0600, Chad Perrin wrote:
> > Please don't construe this statement as a veiled snipe at PHP (or Java, or
> > any other language). It's just an observation of fact.
>
> I should help stab someone for choosing PHP, too, for that matter -- but
> we work with what we've got.
Unthreaded: in a clear field, Chad, what *would* you have implemented
MediaWiki in? And why?
(Thread-kill is your friendi, folks...)
Cheers,
-- jra
--
Jay R. Ashworth jra(a)baylink.com
Designer Baylink RFC 2100
Ashworth & Associates The Things I Think '87 e24
St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274
Fanfic: read enough, and you'll loose your mind. --me
Dear sir
Need adress IP for controple mu camera from internet
my number adree IP is
192 168 001 124
please enter my adrees IP in configuration internet for can check my camera from internet
Best Regards
Amed
---------------------------------
Lèche-vitrine ou lèche-écran ? Yahoo! Magasinage.
I keep reading about the German Wikipedia in the news and some new
feature that is going to be added there, but I haven't heard anything
about it on this list. Should I be subscribed to some other list? Has
this even been discussed in the lists, or is it just on IRC (I can't use
IRC at work unfortunately)?
As for the feature, what is the plan for the technical implementation?
Is it an extension? Can it be found anywhere? Is this going to be using
the StableVersion extension or something like it?
I just introduced the StableVersion extension into my environment, and
if there is going to be some native support for this kind of
functionality, I'd like to get more info on it; I'd hate to roll out
this extension to find out that I've wasted my time ;).
V/r,
Ryan Lane
I've found some nice classical ogg files online (CC-BY-SA-2.0). However,
some are larger than 20 MB. Uploading those leads me back to a blank
upload page, without comment or error. 20MB seems to be a magical limt
for PHP.
Is there a way to bypass that limit? I'd hate to have to cut perfectly
good ogg files.
Magnus
An automated run of parserTests.php showed the following failures:
Running test TODO: Table security: embedded pipes (http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034637.html)... FAILED!
Running test TODO: Link containing double-single-quotes '' (bug 4598)... FAILED!
Running test TODO: Template with thumb image (with link in description)... FAILED!
Running test Template infinite loop... FAILED!
Running test TODO: message transform: <noinclude> in transcluded template (bug 4926)... FAILED!
Running test TODO: message transform: <onlyinclude> in transcluded template (bug 4926)... FAILED!
Running test BUG 1887, part 2: A <math> with a thumbnail- math enabled... FAILED!
Running test TODO: HTML bullet list, unclosed tags (bug 5497)... FAILED!
Running test TODO: HTML ordered list, unclosed tags (bug 5497)... FAILED!
Running test TODO: HTML nested bullet list, open tags (bug 5497)... FAILED!
Running test TODO: HTML nested ordered list, open tags (bug 5497)... FAILED!
Running test TODO: Parsing optional HTML elements (Bug 6171)... FAILED!
Running test TODO: Inline HTML vs wiki block nesting... FAILED!
Running test TODO: Mixing markup for italics and bold... FAILED!
Running test TODO: 5 quotes, code coverage +1 line... FAILED!
Running test TODO: HTML Hex character encoding.... FAILED!
Running test TODO: dt/dd/dl test... FAILED!
Passed 412 of 429 tests (96.04%) FAILED!