Hi, please try: "MediaWiki:Tooltip-n-Survival-Guide". Hyphenated instead
of underscored should work.
Am 23.01.2012 14:39, schrieb kaare mikkelsen:
So, changing the starting letter to capital did solve some of my problems.
Thank you =)
However, I still seem unable to make tooltips for pages with a space in the
title.
For instance, in the mediawiki:sidebar we have:
Survival Guide|Main Page
however, creating mediawiki:tooltip-n-Survival_Guide,
or mediawiki:tooltip-n-Survival_guide has not effect. Neither
does mediawiki:tooltip-n-Main_Page nor mediawiki:tooltip-n-Main_page.
Can someone please tell me what I'm doing wrong?
Thanks
Kaare
On Mon, Jan 23, 2012 at 1:00 PM,<mediawiki-l-requ...@lists.wikimedia.org>wrote:
Send MediaWiki-l mailing list submissions to
mediawiki-l@lists.wikimedia.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
or, via email, send a message with subject or body 'help' to
mediawiki-l-requ...@lists.wikimedia.org
You can reach the person managing the list at
mediawiki-l-ow...@lists.wikimedia.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of MediaWiki-l digest..."
Today's Topics:
1. Re: What class logs recent changes (Siebrand Mazeland)
2. Bypassing the external image whitelist (Daniel Friesen)
----------------------------------------------------------------------
Message: 1
Date: Mon, 23 Jan 2012 08:35:27 +0100
From: Siebrand Mazeland<s.mazel...@xs4all.nl>
To: MediaWiki announcements and site admin list
<mediawiki-l@lists.wikimedia.org>
Subject: Re: [Mediawiki-l] What class logs recent changes
Message-ID:<ca56b19d-6d4b-4e4a-b89b-1ec276a3a...@xs4all.nl>
Content-Type: text/plain; charset=us-ascii
Op 23 jan. 2012 om 01:57 heeft Adam Meyer<mey...@mindspring.com> het
volgende geschreven:
What class is used to log the recent changes on edits etc
Have a look at http://www.mediawiki.org/wiki/Logging_to_Special:Log
--
Siebrand Mazeland
M: +31 6 50 69 1239
Skype: siebrand
------------------------------
Message: 2
Date: Mon, 23 Jan 2012 03:25:58 -0800
From: "Daniel Friesen"<li...@nadir-seen-fire.com>
To: "mediawiki-l@lists.wikimedia.org"
<mediawiki-l@lists.wikimedia.org>
Subject: [Mediawiki-l] Bypassing the external image whitelist
Message-ID:<op.v8jbdkfkjuwloh@daniels-macbook-air.local>
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
I've found a bit of an issue with our external image embedding
whitelisting functionality.
This isn't exactly a hole in the code itself, but in the fact that in
practice it seams just about everyone uses the whitelist incorrectly and
ends up opening up holes in their wiki allowing the whitelist to be
bypassed.
I'll start with MW.org for an example:
https://www.mediawiki.org/wiki/MediaWiki:External_image_whitelist
This image whitelist is fine, it's properly anchored with an explicit
protocol and an initial ^, and it's not using excessive wildcards, there's
nothing wrong with it.
However when I do a Google search and try to find some of the top wikis
using the image whitelist functionality I see this:
http://rbose.org/wiki/MediaWiki:External_image_whitelist
http://mbmodwiki.ollclan.eu/MediaWiki:External_image_whitelist
http://wiki.vnations.net/index.php/MediaWiki:External_image_whitelist
http://stelio.net/geeki/MediaWiki:External_image_whitelist
http://community.wikia.com/wiki/MediaWiki:External_image_whitelist
Basically EVERYONE except the smart people running Wikimedia sites use the
image whitelist incorrectly. There are rules using .* in some but more
importantly NO ONE anchors their whitelist rules (they don't even bother
including the protocol in some cases so we can't even use an implicit
anchor to the regexps).
This means that the whitelists can be trivially bypassed:
http://community.wikia.com/wiki/User:Dantman/Whitelist_hole
In this example Wikia has a `wikia\.com` regexp line in their image
whitelist.
By using something like this the image whitelist is bypassed:
http://imgs.xkcd.com/comics/security_holes.png?wikia.com&image.png
The "?wikia.com" inside of the query triggers the whitelisting allowing
the image to be embedded, and the trailing&image.png makes sure that the
url still matches the internal image url embed regexp.
By adding a query like this (it doesn't even necessarily need to be a
query, I haven't tested but the fragment might be usable, and even if not
it's liable that you could use the path portion of the url if you had a
server setup to serve images for certain weird urls) you can embed
basically any url you want into the wiki since the query portion of the
url is ignored by webservers serving images.
And to be clear I don't believe that patterns like
`http://upload\.wikimedia\.org/` and `^http://(.*?\.)?wordpress\.com/`
aren't safe. I believe that the special characters in the later parts of
the url won't affect it and you can still get it to work. And ^ anchoring
won't work when using .* style wildcards because you can craft a url such
as
http://my.malicious-website.com/path/to/my/evil/image.png?.wordpress.com&image.png
which would match that latter regexp.
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
------------------------------
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
End of MediaWiki-l Digest, Vol 100, Issue 18
********************************************
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
