On Mon, Jan 23, 2012 at 3:25 AM, Daniel Friesen <[email protected]>wrote:
> I've found a bit of an issue with our external image embedding > whitelisting functionality. > This isn't exactly a hole in the code itself, but in the fact that in > practice it seams just about everyone uses the whitelist incorrectly and > ends up opening up holes in their wiki allowing the whitelist to be > bypassed. > *nod* I'd generally recommend not to use this old external images feature; as you note its whitelisting is pretty awful (just a ham-fisted regex) but more generally it can trigger false positives (web pages with '.jpg' ending) and lacks any controls for sizing images, giving them alt text or captions, etc. If there's not already a good extension for embedding external URLs as images that *does* let you set size, alt text, etc, then there probably should be one added. If whitelisting makes sense for it at all, then it should be implemented better as well so it's less error-prone. -- brion _______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
