Page MenuHomeMiraheze

Extension Re-review Request: EmbedVideo
Open, NormalPublic

Description

MediaWiki Link: https://www.mediawiki.org/wiki/Extension:EmbedVideo
Gitlab Repo: https://gitlab.com/hydrawiki/extensions/EmbedVideo


This extension was previously removed in late 2016 and is now a declined extension due to security reasons. I'm not familiar with the security reasons for it being rejected, but since the extension is actively maintained, I thought maybe the extension may have changed since then. Because of this, I'd like to request a re-review to see if the security concerns are still applicable to the current version of Extension:EmbedVideo.

Reason for Requesting
Currently, outside just using a Widget iframe, Miraheze offers Extension:YouTube for embedding videos from video sharing services. Per T5535, there was discussion about potentially enabling the other video services supported by Extension:YouTube, which were previously commented out in the Miraheze-forked version of the extension. After reviewing though, it seems like most of the video services supported by Extension:YouTube either don't work or are dead, and while it's not an ask, I figured maybe an alternative extension could be looked for.

Extension:EmbedVideo has larger video service support (24+ services) and is also actively maintained in keeping that support working and up-to-date (Last update a month ago). It seems to be a relatively common extension requested as well, so if the security concerns have been remedied, then I believe the extension would be a boon for editors looking for additional embedded video support without needing to go the Widget route.

Thank you for your time!

Event Timeline

Elaeagnifolia triaged this task as Normal priority.May 14 2020, 23:35
Elaeagnifolia created this task.
AmandaCath moved this task from Backlog to Review Needed on the Extensions board.May 15 2020, 01:33
AmandaCath added subscribers: Southparkfan, AmandaCath.

I could be wrong about this, but I think that the reason why the extension was declined was not that it was unmaintained, but rather because it inserts raw HTML code into wiki pages. This can and is a security risk if it is not managed and regulated properly - in theory someone could, in this case, embed a video where the video itself is malicious and/or the video contains something malicious within it, which would therefore inject the malicious content into the wiki and potentially Miraheze globally. While the chances of this happening are rare, if I understand it correctly Miraheze just doesn't like to take any unnecessary chances when it comes to security (CC @Southparkfan for further clarification/corrections).

Helper added a subscriber: Helper.Jun 28 2020, 17:08

Give me a few days to think about it.