Thanks, but please consider changing the way of specify the article to load as I suggested, specifying the page title instead of a URL and, of course, check that the parameter is a valid wiki article title. It's more secure that the actual way.
Nobody has complained about this extension being disabled yet, so maybe is not a pain for them to wait some days until it gets totally fixed, even if the syntax changes. This would solve the problem permanently. Maybe you have a tool to check in which pages it's used, to consider each option. Just my 2 cents. 2007/12/7, Inez Korczyński wrote: > Hi, > > Actually please hold on with switching to different solution on pages > which use TabView extension. I'm going to fix JavaScript injection > problems ASAP (today) and then will let you know. > > Inez > > Jesús Martínez pisze: > > Just FYI to who were using the TabView extension, it has been > > disabled, so the markup is now showing on the pages where is used. > > > > The reason is the JavaScript injection that anyone could produce with > > it. The first param was injected without any escape inside a <script> > > section of the HTML, so you can imagine what could be done with it: > > since showing an alert() to include an entire external JavaScript file > > that could thief your cookies or load in a frame the > > [[Special:Userlogin]] and send your password remotely (if your browser > > stores it). > > > > > > If someday wikia enables an improved version of this extension, PLEASE > > do something like the param indicating the page to load is the title > > of the article, not a url, and check it with MediaWiki so if it > > doesn't exist displays a red link or something. This is the proper way > > of doing things. > > > > What was doing now could be done with some javaScript in Common.js, so > > a replacement of this extension could be done without much effort and > > without a need of a extension install. > > > > As an idea: > > <http://www.wikia.com/wiki/User:Ciencia_Al_Poder/Embed_Quick_Time_Movies.js> > > what means: a <div> with a specific class="" attribute. Inside, a list > > of links, preferably of the form [[Link|Text]] so you can make sure > > only internal links are parsed and the problem of the TabView > > extension gets solved. > > > > Cheers. > > > > > > 2007/8/17, Inez Korczyński wrote: > >> Hi, > >> > >> I just create new extension - TabView. > >> It allow to create dynamic tabs inside article page. > >> > >> Example: http://toys.wikia.com/wiki/TabViewTest > >> CSS for that example is at the end of: > >> http://toys.wikia.com/wiki/MediaWiki:Common.css > >> > >> About syntax: > >> > >> tag parameters: > >> id - (optional) postfix for root div for tab > >> title - (optional) title showed above tabs > >> > >> inside parameters: > >> 1st - tab name > >> 2nd - url to article with content to display (remember about action=render) > >> 3nd - (optional) cache content - false/true > >> 4nd - (optional) active tab - false/true > >> > >> That extension use YUI library module called TabView: > >> http://developer.yahoo.com/yui/tabview/ > >> > >> Feel free to play with it, I'm waiting for feedback and remember that > >> extension is in beta version. > >> > >> Inez > >> > >> _______________________________________________ > >> Wikia-l mailing list > >> [email protected] > >> http://lists.wikia.com/mailman/listinfo/wikia-l > >> > > _______________________________________________ > > Wikia-l mailing list > > [email protected] > > http://lists.wikia.com/mailman/listinfo/wikia-l > > > > _______________________________________________ > Wikia-l mailing list > [email protected] > http://lists.wikia.com/mailman/listinfo/wikia-l > _______________________________________________ Wikia-l mailing list [email protected] http://lists.wikia.com/mailman/listinfo/wikia-l
