[00:29:33] [1/3] https://www.0utersi.de/Place_Holding [00:29:33] [2/3] updated my visual novel wiki [00:29:33] [3/3] https://cdn.discordapp.com/attachments/615786602454581249/1478187538156884008/image.png?ex=69a77cec&is=69a62b6c&hm=3e3d97bf717cd108b8b9ccea3488c93ea326c2987da5adf72594344b2027e937& [00:29:58] (you can make custom visual novel stories inside a wiki) [00:30:48] is that minerva [00:33:36] `class="mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-0 ns-subject page-Place_Holding rootpage-Place_Holding skin-minerva action-view skin--responsive minerva--history-page-action-enabled"` yes [00:35:05] yes i wrangled that skin till it died [02:14:44] ...with the widget extension, of which, boohoo 🙁 [02:16:14] mmmmmm bomb [02:16:24] yummy pipe bomb [02:17:09] which explosive compounds are the best [02:17:18] c4? [02:17:32] 2*c2 [02:18:15] good ol classic tnt on top [02:25:35] <_chrs_, replying to tangoer_man> mmm you could totally use JS [02:26:25] yeah but idk how to do page-specific js without loading it common.js [02:44:39] <_chrs_, replying to tangoer_man> you can set a gadget to run on pages in a certain category [02:45:05] <_chrs_> basically you mark it as default and hidden and only used on certain categories [02:45:27] <_chrs_> cf. https://www.mediawiki.org/wiki/MediaWiki:Gadgets-definition#template-gadgets [03:02:03] til you can scope to cats [03:02:12] for me, i scoped to a namespace and checked the page in js [03:03:00] https://rainverse.wiki/wiki/MediaWiki:Gadget-Birthdays.js [04:02:35] Come on shawty. It's your birthday. [08:09:12] [1/2] genuine question but is there anything inherently wrong with the widget extension? [08:09:12] [2/2] ik of the safety issues but literally every parameter i use is escaped [08:21:52] [[2020-12-23 Security Disclosure]] [08:21:52] https://meta.miraheze.org/wiki/2020-12-23_Security_Disclosure [08:21:53]

[08:22:13] [1/2] btw i wonder what's the safer alternatives? don't tell me js [08:22:13] [2/2] https://cdn.discordapp.com/attachments/615786602454581249/1478306491327844404/image.png?ex=69a7ebb5&is=69a69a35&hm=6de1ec50eaf18c4dcf34bbe5fa00ecc6cc8a70d0073d83aeeec7f99b888ba5bf& [08:28:34] btw i've seen a farm allowing users to create mustache templates in-wiki, which functions similarly to the widgets ext [08:32:52] ok well this is about miraheze tho, and the fact that its not safe to just straight up allow the widget to a wikifarm isnt it [08:35:44] see also another farm https://support.wiki.gg/wiki/Widgets [09:05:50] this does not really say anything tho lol [09:05:58] it just says it needs permission to use it [09:06:28] im not making a wikifarm either the editing of html and js is strictly only done by me [09:16:16] Probably gadgets. [09:19:02] hmm that's js [09:19:43] i think it's alright as long as you don't write risky code yourself (requiring double examination [09:19:59] Widgets allowing the user to interface with PHP of all things is a huge problem. It would've been a much better extension if constrained to a pair of sanitized wikitext alongside JavaScript. [09:20:46] maybe this is okay? [09:21:56] reminds me of this again [09:22:08] this [09:22:09] Yes. And people usually don't criticize other people's work in public, so they just vaguely say "it's unsafe" and not go into details (e.g. https://river.me/blog/glossary/). [09:22:24] In rare cases where they do, https://github.com/CanastaWiki/Canasta/issues/560 [09:22:42] if i can write with codex freely on the wiki it would be much more convenient than gadgets [09:23:11] thank you! i am putting effort into researching the extension because i do wanna keep a game aspect into my wiki but not at the expense of endangering others [09:23:41] i am not sure if the escape function can be loopholed but atm every parameter i added is escaped to html [09:24:39] ig yes, it can be rewritten with gadget in js [09:25:39] ill be honest i have no idea how to use gadgets atm, or atleasy to the extent of customization scope i need for the code [09:27:29] There are people more familiar with security than I am on this server. My own intuition is that if you pass all arguments to `data-` attributes in HTML and not let them affect your JavaScript and refrain from using PHP-related features, you will probably be fine. [09:27:56] [1/2] btw here's their doc https://www.huijiwiki.com/wiki/Help:Mustache%E6%A8%A1%E6%9D%BF but their ext is not open source [09:27:56] [2/2] but if this is confirmed alright maybe we can also develop another safe widgets alternative? [09:28:00] what exactly wouls count as php features? [09:29:43] (compare [gadget implementation](https://xyy.miraheze.org/wiki/MediaWiki:Gadget-GdCopyright.js) and their [widgets alternative implementation](https://xyy.huijiwiki.com/wiki/Html:%E5%B9%BF%E4%B8%9C%E7%89%88%E6%9D%83%E7%BD%91) of the same thing) [09:33:08] The Smarty features in the docs. Stuff like foreach seems rather suspicious to me, though our security experts might know better. [09:35:02] [1/3] i see, thanks for the insight! [09:35:02] [2/3] i might need to change my current code to accommodate with the safety precautions you told me [09:35:03] [3/3] as currently people can change a few parameters in the java script, if that is dangerous i will modify my code [09:35:35] basically i am using javascript to build the html coding, but i understand how this could be dangerous [09:37:00] [1/2] Looks like there was an XSS vulnerability in https://www.huijiwiki.com/wiki/%E5%B8%AE%E5%8A%A9:Mustache%E6%A8%A1%E6%9D%BF/%E5%8D%B1%E9%99%A9%E6%A8%A1%E6%9D%BF [09:37:00] [2/2] I will defer to our security experts on this one. I do agree that some way of editing unfiltered HTML would be nice (similar to speciallycursed). Unfortunately the solutions often end up being free XSS, especially when the implementation is not careful. [09:37:36] if user input can't be concatenated to the js code ig it's not that dangerous [09:39:03] but idk too much about security either [09:40:51] so we basically want speciallycursed but can be inserted on anywhere of anypage instead of just special pages [09:40:58] my project is basically creating a collaborative writing universe like scp in a wiki except its visual novels so its inherent this will be code heavy, so i am making sure everything is safe [10:43:03] [1/2] okay actually i can use it now. just wait until the mw object appears [10:43:04] [2/2] https://cdn.discordapp.com/attachments/615786602454581249/1478341934107070557/image.png?ex=69a80cb7&is=69a6bb37&hm=af40d2fdfa12c9542167f9412968123d98331986f3223485ce785893883c9cfc& [10:43:34] push it to RLQ somehow doesn't work idk why but waiting works [10:43:35] :3c [10:51:54] https://static.wikitide.net/rainversewiki/c/cd/Arc_and_Harley_pizza.png [11:26:44] <.labster> guys, what the heck is going on with the moon rn? [11:27:23] <.labster> First Iran gets bombed, now the moon is blood red. [11:29:04] i find it hard to believe...i mean the moon isn't red so that's odd [11:43:11] <.labster> Looking at it right now, definitely red [12:34:30] https://cdn.discordapp.com/attachments/615786602454581249/1478369978683228160/image.png?ex=69a826d5&is=69a6d555&hm=94130aa7879a8e807d1a1a61038227e7b03ecdeddbc3dd90ee3ac2aae1a2442d& [13:03:40] it's cause the moon has Awaken [13:46:08] that's interesting.. [14:33:57] evil moon... [14:34:30] its gonna try to crash into us but our saviour, the roch limit, shall shave us!!! [16:42:24] it's the blood moon, means all mob will respawn [21:42:47] the future of miraheze when [23:17:36] Soon™