Page MenuHomeMiraheze
Create Task
Maniphest T1881

Please install the ImageWithLink extension on the SterbalsSundryStudies wiki
Closed, DeclinedPublic
Actions

Description

The extension can be found here:

https://sterbalssundrystudies.miraheze.org/wiki/ImageWithLink.php

Create the file ImageWithLink.php from the text below in your MediaWiki extension directory. You can place it directly there or you can make a subfolder in the extensions directory.
Edit your LocalSettings.php file. You'll find it in the root of your MediaWiki installation. Add the following code at the bottom of the file.
#ImageWithLink
require_once"$IP/extensions/ImageWithLink.php";

This php file lets a wiki show external images:

<?php
/**
This extension adds the ability to nearly use wiki syntax to create an external image with a link/url behind it.

Copyright (C) 2012 by
Christof Alber,
Mario Kleinsasser,
Markus Neuhold,
Bernhard Rausch,
Martin Steinwender

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/

$wgExtensionCredits['parserhook'][] = array(

'path' => __FILE__,
'name' => 'Image with Link',
'author' =>'Christof Alber, Mario Kleinsasser, Markus Neuhold, Bernhard Rausch, Martin Steinwender', 
'url' => 'https://www.n0r1sk.com', 
'description' => 'This extension adds the ability to nearly use wiki syntax to create an external image with a link/url behind it - by [http://www.n0r1sk.com n0r1sk.com]',
'version'  => 0.1,
);

$wgHooks['ParserFirstCallInit'][] = 'ImageWithLinkInit';

function ImageWithLinkInit( &$parser ) {
$parser->setHook( 'iwl', 'ImageWithLink' );
return true;
}

function ImageWithLink( $input, array $args, Parser $parser, PPFrame $frame ) {
/** $output = $parser->recursiveTagParse( $input, $frame); */
list($image, $link, $text) = explode("|", $input);
$output = '<a href="' . $link . '" target="_blank"><img src="' . $image . '" alt="' . $text . '" title="' . $text . '"></a>';
return $output;
}

Event Timeline

Rsterbal created this task.Jun 7 2017, 01:09
Herald added subscribers: revi, Southparkfan, Brynda1231 and 4 others. · View Herald TranscriptJun 7 2017, 01:09
revi closed this task as Declined.Jun 7 2017, 02:09
revi claimed this task.

Loading images from 3rd party location (outside our server) is not permitted under our policy.

(It has been historically declined too.)

Herald added a project: revi. · View Herald TranscriptJun 7 2017, 02:09
revi edited projects, added Extension-Review, Extensions; removed revi, Configuration.Jun 7 2017, 02:10
Rsterbal reopened this task as Open.Jun 7 2017, 12:24

What is the difference between https://www.mediawiki.org/wiki/Manual:$wgAllowExternalImages and https://sterbalssundrystudies.miraheze.org/wiki/ImageWithLink.php ?

Reception123 reassigned this task from revi to labster.Jun 7 2017, 13:30

For us to use it it:

  1. has to pass security review
  2. needs to have a GitHub repo (not only a PHP file)
labster added a comment.Jun 7 2017, 18:30

Believe it or not, I saw a security issue in this code in under 20 seconds, because of something I saw at work recently.

https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

Rsterbal added a comment.Jun 8 2017, 05:46

Will this fix the security issue?

<?php
/**
This extension adds the ability to nearly use wiki syntax to create an external image with a link/url behind it.

Copyright (C) 2012 by
Christof Alber,
Mario Kleinsasser,
Markus Neuhold,
Bernhard Rausch,
Martin Steinwender

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/

$wgExtensionCredits['parserhook'][] = array(

'path' => __FILE__,
'name' => 'Image with Link',
'author' =>'Christof Alber, Mario Kleinsasser, Markus Neuhold, Bernhard Rausch, Martin Steinwender', 
'url' => 'https://www.n0r1sk.com', 
'description' => 'This extension adds the ability to nearly use wiki syntax to create an external image with a link/url behind it - by [http://www.n0r1sk.com n0r1sk.com]',
'version'  => 0.1,
);

$wgHooks['ParserFirstCallInit'][] = 'ImageWithLinkInit';

function ImageWithLinkInit( &$parser ) {
$parser->setHook( 'iwl', 'ImageWithLink' );
return true;
}

function ImageWithLink( $input, array $args, Parser $parser, PPFrame $frame ) {
/** $output = $parser->recursiveTagParse( $input, $frame); */
list($image, $link, $text) = explode("|", $input);
$output = '<a href="' . $link . '" target="_blank" rel="noopener noreferrer"><img src="' . $image . '" alt="' . $text . '" title="' . $text . '"></a>';
return $output;
}

labster added a comment.Jun 12 2017, 02:21

Well, uh, no. This is not secure either. This is vulnerable to Cross-Site Scripting, pretty obviously. Imagine someone did this:

{{iwl|#" onclick="alert('omg youve been hacked')"|#|#}}

As usual the correct thing to do here would be to use the Html class, probably:

Html::rawelement( 'a', [

  'href' => $link,
 'target' => '_blank',
 'rel' => "noopener noreferrer"
], Html::element( 'img', [ src => $image, 'alt' => $text, 'title' => $text ])

);

CnocBride closed this task as Declined.EditedNov 2 2017, 18:25
CnocBride subscribed.

No replies since June 12th 2017 and Labster has said this extension has a security issue.

Rsterbal reopened this task as Open.Apr 9 2018, 02:21

I finally updated the code as was suggested above. The file should now read:

<?php
/**
This extension adds the ability to nearly use wiki syntax to create an external image with a link/url behind it.

Copyright (C) 2012 by
Christof Alber,
Mario Kleinsasser,
Markus Neuhold,
Bernhard Rausch,
Martin Steinwender

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/

$wgExtensionCredits['parserhook'][] = array(

'path' => __FILE__,
'name' => 'Image with Link',
'author' =>'Christof Alber, Mario Kleinsasser, Markus Neuhold, Bernhard Rausch, Martin Steinwender', 
'url' => 'https://www.n0r1sk.com', 
'description' => 'This extension adds the ability to nearly use wiki syntax to create an external image with a link/url behind it - by [http://www.n0r1sk.com n0r1sk.com]',
'version'  => 0.1,
);

$wgHooks['ParserFirstCallInit'][] = 'ImageWithLinkInit';

function ImageWithLinkInit( &$parser ) {
$parser->setHook( 'iwl', 'ImageWithLink' );
return true;
}

function ImageWithLink( $input, array $args, Parser $parser, PPFrame $frame ) {
/** $output = $parser->recursiveTagParse( $input, $frame); */
list($image, $link, $text) = explode("|", $input);
$output = Html::rawelement( 'a', [

   'href' => $link,
  'target' => '_blank',
  'rel' => "noopener noreferrer"
 ], Html::element( 'img', [ src => $image, 'alt' => $text, 'title' => $text ])

);
	return $output;

}

John closed this task as Declined.Jun 27 2018, 23:05
John subscribed.

Given the large number of requests; going through each one independently to try and maximise their use.

For this extension, it is not in git version control. Please submit this to GitHub or some other form of Git-based version controlled software and provide a link before reopening.

Thanks.