From MediaWiki Widgets
Widget reviewers are people who are allowed to edit actual widgets code page - their goal is to check them for security issues like XSS attacks from wiki users (and potentially widget providers).
List of widget reviewers
Instructions for widget reviewers
Main goals of widget reviewers is to create secure widgets - many users are going to be using widgets from this site and it's important that they are as secure as possible (to the degree widgets can be secure).
For security, first and most important part is to protect widgets from wiki-user initiated XSS attacks.
The single most important surface for such attacks (in case wiki admin didn't open access to widget creation to all users) are widget variables - they must always be properly escaped and/or validated.
List of most commonly used 'escape' modifier values
quotes- should be used only if variable is enclosed within single quotes. For double quotes (e.g. HTML tag attributes) see 'html' modifier below
urlpathinfo- should be used if variable is part of the URL
html- should be used if variable is included directly as part of HTML or as HTML tag parameter (e.g. enclosed in quotes "" - don't use 'quotes' modifier in this case!)
If you need to combine
escape modifier with other modifiers like
default, you can separate them with a pipe like this:
List of available validators
Widgets extension implements
validate modifier that uses PHP Data filtering to allow validating widget parameters.
To make sure
$homepage variable value is a valid URL, you can use following code:
Following values for the validate are supported by Widgets extension (mapping to corresponding PHP's validation filters):