Widget editors
From MediaWiki Widgets
Widget editors are people who are allowed to edit actual widgets - their goal is to check them for security issues like XSS attacks from wiki users (and potentially widget providers).
[edit] List of widget editors
[edit] Instructions for widget editors
Main goals of widget editors is to create secure widgets - many users are going to be using widgets from this site and it's important that they are as secure as possible (to the degree widgets can be secure).
For security, first and most important part is to protect widgets from wiki-user initiated XSS attacks.
The single most important surface for such attacks (in case wiki admin didn't open access to widget creation to all users) are widget variables - they must always be properly escaped. The way to escape template variables in Smarty is to use escape modifier.
[edit] List of most commonly used 'escape' modifier values
-
quotes- should be used only if variable is enclosed within single quotes. For double quotes (e.g. HTML tag attributes) see 'html' modifier below -
urlpathinfo- should be used it variable is part of the URL -
html- should be used if variable is included directly as part of HTML or as HTML tag parameter (e.g. enclosed in quotes "" - don't use 'quotes' modifier in this case!)
If you need to combine escape modifier with other modifiers like default, you can separate them with a pipe like this:
Hello, <b><!--($name|default:'guest'|escape:'html')--></b>!
