Re: [MediaWiki-l] Security of widgets? Way to limit parameters? OpenSeadragon

2016-10-29 Thread Daniel Friesen
On 2016-10-29 5:30 PM, Brian Wolff wrote: > On Saturday, October 29, 2016, Daniel Friesen > wrote: >> And then there is $image. urlpathinfo doesn't escape quotes, >> backslashes, or . >> > Its hard to find docs on what urlpathinfo actually does (talk about a red > flag

Re: [MediaWiki-l] Follow Up:What Impact did the Mediawiki Stakeholders Wishlist of Features Have

2016-10-29 Thread Brian Wolff
On Saturday, October 29, 2016, chris tharp wrote: > Hi All, > > As a lone tinker with Mediawiki, who pays some attention to things > connected with it, I thought I would ask for a follow up to last year's > Mediawiki Stakeholders survey (see: >

Re: [MediaWiki-l] Security of widgets? Way to limit parameters? OpenSeadragon

2016-10-29 Thread Brian Wolff
On Saturday, October 29, 2016, Daniel Friesen wrote: > On 2016-10-29 8:40 AM, Brian Wolff wrote: >> On Sat, Oct 29, 2016 at 2:50 PM, Dr. Michael Bonert >> wrote: >>> Hello, >>> >>> I was wondering about the security of Widgets ( >>>

Re: [MediaWiki-l] Security of widgets? Way to limit parameters? OpenSeadragon

2016-10-29 Thread Daniel Friesen
On 2016-10-29 8:40 AM, Brian Wolff wrote: > On Sat, Oct 29, 2016 at 2:50 PM, Dr. Michael Bonert > wrote: >> Hello, >> >> I was wondering about the security of Widgets ( >> https://www.mediawiki.org/wiki/Extension:Widgets ) that get parameters >> passed to them. Any

[MediaWiki-l] Follow Up:What Impact did the Mediawiki Stakeholders Wishlist of Features Have

2016-10-29 Thread chris tharp
Hi All, As a lone tinker with Mediawiki, who pays some attention to things connected with it, I thought I would ask for a follow up to last year's Mediawiki Stakeholders survey (see: https://www.mediawiki.org/wiki/MediaWiki_Stakeholders%27_Group). An itemized wishlist of most requested features

[MediaWiki-l] The extensions CookiePolicy and CookieWarning has been merged into one extension CookieWarning

2016-10-29 Thread Florian Schmidt
Hello list members! First of all: If you haven't used one of the extensions (CookieWarning[1] or CookiePolicy[2]) and don't plan to use one of them in the future, you can stop reading here :) tl;dr: The extension CookiePolicy is no longer available and was marked as archived, please use

Re: [MediaWiki-l] Security of widgets? Way to limit parameters? OpenSeadragon

2016-10-29 Thread Brian Wolff
On Sat, Oct 29, 2016 at 2:50 PM, Dr. Michael Bonert wrote: > Hello, > > I was wondering about the security of Widgets ( > https://www.mediawiki.org/wiki/Extension:Widgets ) that get parameters > passed to them. Any thoughts? > > Are the parameters passed through to

Re: [MediaWiki-l] Security of widgets? Way to limit parameters? OpenSeadragon

2016-10-29 Thread Brian Wolff
On Sat, Oct 29, 2016 at 3:40 PM, Brian Wolff wrote: > On Sat, Oct 29, 2016 at 2:50 PM, Dr. Michael Bonert > wrote: >> Hello, >> >> I was wondering about the security of Widgets ( >> https://www.mediawiki.org/wiki/Extension:Widgets ) that get

Re: [MediaWiki-l] Security of widgets? Way to limit parameters? OpenSeadragon

2016-10-29 Thread Brian Wolff
On Sat, Oct 29, 2016 at 2:50 PM, Dr. Michael Bonert wrote: > Hello, > > I was wondering about the security of Widgets ( > https://www.mediawiki.org/wiki/Extension:Widgets ) that get parameters > passed to them. Any thoughts? > > Are the parameters passed through to

[MediaWiki-l] Security of widgets? Way to limit parameters? OpenSeadragon

2016-10-29 Thread Dr. Michael Bonert
Hello, I was wondering about the security of Widgets ( https://www.mediawiki.org/wiki/Extension:Widgets ) that get parameters passed to them. Any thoughts? Are the parameters passed through to the widget cleansed of html/scripts? If it isn't -- is it possible to easily enforce