Widget reviewers

From MediaWiki Widgets

Widget reviewers are people who are allowed to edit actual widgets code page - their goal is to check them for security issues like XSS attacks from wiki users (and potentially widget providers).

List of widget reviewers

Instructions for widget reviewers

Main goals of widget reviewers is to create secure widgets - many users are going to be using widgets from this site and it's important that they are as secure as possible (to the degree widgets can be secure).

For security, first and most important part is to protect widgets from wiki-user initiated XSS attacks.

The single most important surface for such attacks (in case wiki admin didn't open access to widget creation to all users) are widget variables - they must always be properly escaped and/or validated.

The way to escape and validate template variables in Smarty is to use escape modifier and validate modifier (specific to Widgets extension).

List of most commonly used 'escape' modifier values

  • quotes - should be used only if variable is enclosed within single quotes. For double quotes (e.g. HTML tag attributes) see 'html' modifier below
  • urlpathinfo - should be used if variable is part of the URL
  • html - should be used if variable is included directly as part of HTML or as HTML tag parameter (e.g. enclosed in quotes "" - don't use 'quotes' modifier in this case!)

If you need to combine escape modifier with other modifiers like default, you can separate them with a pipe like this:

Hello, <b><!--{$name|default:'guest'|escape:'html'}--></b>!

List of available validators

Widgets extension implements validate modifier that uses PHP Data filtering to allow validating widget parameters.

To make sure $homepage variable value is a valid URL, you can use following code:

<a href="<!--{$homepage|validate:url}-->">Homepage</a>

Following values for the validate are supported by Widgets extension (mapping to corresponding PHP's validation filters):