Extension:Secure HTML
This extension is currently not actively maintained! Although it may still work, any bug reports or feature requests will more than likely be ignored. If you are interested in taking on the task of developing and maintaining this extension, you can request repository ownership. As a courtesy, you may want to contact the author. You should also remove this template and list yourself as maintaining the extension in the page's {{Extension }} infobox. |
Secure HTML Release status: unmaintained |
|
---|---|
Implementation | Tag , User rights |
Description | Lets you include arbitrary HTML in an authorized and secure way |
Author(s) | Ryan Finnie (Fo0bartalk) |
Latest version | 3.0 (2016-07-29) |
MediaWiki | 1.23+ |
License | GNU General Public License 2.0 or later |
Download | Download latest stable release (3.0), or: |
Example | <shtml> tag (PayPal forms), Special:SecureHTML |
$wgSecureHTMLSecrets, $wgSecureHTMLSpecialRight, $wgSecureHTMLSpecialDropdown, $wgSecureHTMLTag |
|
<shtml> (configurable) |
|
Translate the Secure HTML extension if it is available at translatewiki.net | |
The Secure HTML extension lets you include arbitrary HTML in an authorized and secure way
Rationale
editOccasionally, you need to display HTML within a wiki, but allowing it site-wide opens you up to various XSS attacks. This extension solves that problem by letting you specify arbitrary HTML, but only if the HTML includes a corresponding hash created by signing the HTML input with a secret only authorized people know.
The extension uses a special page, Special:SecureHTML which helps you build a tag, <shtml>
, which acts as a wrapper around raw HTML.
Example
edit<shtml
hash="7fa503206cb1de131dd6acdca576e92262dd6d176cc3466073a343863743b8ed"
><strong>Hello world!</strong></shtml>
If the user uses a valid shared secret to build the hashed <shtml>
snippet and includes it in a wiki page, the snippet is rendered as the raw HTML contained within the tag. If the shared secret is invalid, the snippet is rendered as an error message (but does not contain the HTML).
Installation
editSecure HTML is compatible with MediaWiki 1.23 and later.
- Download and move the extracted
SecureHTML
folder to yourextensions/
directory.
Developers and code contributors should install the extension from Git instead, using:cd extensions/
git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/SecureHTML - Add the following code at the bottom of your LocalSettings.php file:
wfLoadExtension( 'SecureHTML' ); $wgSecureHTMLSecrets = [ 'keyname' => 'keysecret', ];
- Modify $wgSecureHTMLSecrets as per below.
- Go to Special:SecureHTML and use the page to create a hashed snippet of raw HTML using the key secrets defined.
- Add the hashed snippet to your desired wiki page.
- Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.
Configuration
editSecure HTML uses HMAC digests to sign a piece of raw HTML in a <shtml>
tag, using a shared secret key. The $wgSecureHTMLSecrets configuration array may have multiple shared secrets and is in the format:
$wgSecureHTMLSecrets = [
'Wiki admin' => 'zX6Zn2WRKlQt',
'developers' => '7RCkFRjw68CL',
'Support department' => 'NL9g5QntWNbC',
];
The first part of each pair is the key name, and the second part is the key secret. This way, you can logically segment shared secrets among several groups. If a code> parameter is not given to the <shtml>
tag, the first entry in $wgSecureHTMLSecrets is assumed. So, for example:
<!-- Use the default key ("Wiki admin" in the above example), signed with "zX6Zn2WRKlQt" -->
<shtml hash="ab...cd">HTML</shtml>
<!-- Or specify the key name explicitly -->
<shtml keyname="Wiki admin" hash="ab...cd">HTML</shtml>
<!-- Use the "developers" key, signed with "7RCkFRjw68CL" -->
<shtml keyname="developers" hash="ef...01">HTML</shtml>
The default tag name is shtml
, but may be changed by setting e.g.:
$wgSecureHTMLTag = 'securehtml';
Usage
editThe special page Special:SecureHTML is used to build the snippet, specifying the raw HTML, the key secret, and (optionally) the key name. If a key name is not specified, the first entry in $wgSecureHTMLSecrets is assumed. When the form is submitted, the signed snip is displayed, and an attempt to render the snippet is made. If the key secret is incorrect, you will see the results immediately before adding the snippet to a page.
Special:SecureHTML is restricted to users with the 'edit' right; the rationale is that the user needs to be able to edit pages anyway to use this extension. If you want to change this right, set $wgSecureHTMLSpecialRight to another right or set it to '' to allow anyone to use the special page.
Note that this restriction does not provide much extra security. If your MediaWiki installation requires users to be logged in to edit, it does provide superficial protection against anonymous dictionary attacks (checking the preview result) against a key. However, if users already know a key secret, they can build the signed snippet manually; the special page is not strictly needed.
By default, Special:SecureHTML presents a dropdown list of configured key names from which to select. If you would rather not show all key names, set the following to turn the field into a freeform text input:
$wgSecureHTMLSpecialDropdown = False;
Hash algorithms
editBeginning with version 3.0, HMAC hash algorithms are configurable per key. The default is HMAC SHA256 when the key value is a string (the secret), but may be extended, for example:
$wgSecureHTMLSecrets = [
'default sha256' => 'vwJ2prl4B4bg',
'custom sha512' => [
'algorithm' => 'sha512',
'secret' => 'RZQ8R99C95Xn',
],
'custom whirlpool' => [
'algorithm' => 'whirlpool',
'secret' => 'FXtN2QHflVPf',
],
];
SHA256 should be secure for most purposes, but if you pick a custom algorithm, be careful which one you choose. For example, adler32 would be a very bad choice for hashing.
Version 1.0 used a simple data + secret MD5 hash, which is now considered cryptographically insecure. This format was deprecated in version 2.0 in favor of HMAC SHA256 hashes and removed in 3.0. Any existing version 1.0 hashes must be converted to new hashes.
See also
edit- HTML restriction - list of extensions that allow for the inclusion of raw HTML
- Extension:SaferHTMLTag - Allows only sysops and certain user groups to edit pages containing the
<html>
tag