WikiQueer:Widget editors

Widget editors are people who are allowed to edit actual widgets code page - their goal is to check them for security issues like XSS attacks from wiki users (and potentially widget providers).

List of widget editors

 * [ Full list of user in "widgeteditor" group]

Instructions for widget editors
Main goals of widget editors is to create secure widgets - many users are going to be using widgets from this site and it's important that they are as secure as possible (to the degree widgets can be secure).

For security, first and most important part is to protect widgets from wiki-user initiated XSS attacks.

The single most important surface for such attacks (in case wiki admin didn't open access to widget creation to all users) are widget variables - they must always be properly escaped and/or validated.

The way to escape and validate template variables in Smarty is to use modifier and modifier (specific to Widgets extension).

List of most commonly used 'escape' modifier values

 * - should be used only if variable is enclosed within single quotes. For double quotes (e.g. HTML tag attributes) see 'html' modifier below
 * - should be used if variable is part of the URL
 * - should be used if variable is included directly as part of HTML or as HTML tag parameter (e.g. enclosed in quotes "" - don't use 'quotes' modifier in this case!)

If you need to combine  modifier with other modifiers like , you can separate them with a pipe like this: Hello, !

List of available validators
Widgets extension implements  modifier that uses PHP Data filtering to allow validating widget parameters.

To make sure  variable value is a valid URL, you can use following code: Homepage

Following values for the validate are supported by Widgets extension (mapping to corresponding PHP's validation filters):
 * (FILTER_VALIDATE_URL)
 * (FILTER_VALIDATE_INT)
 * (FILTER_VALIDATE_BOOLEAN)
 * (FILTER_VALIDATE_FLOAT)
 * (FILTER_VALIDATE_EMAIL)
 * (FILTER_VALIDATE_IP)