Page MenuHomeMiraheze

Review Html5mediator
Closed, DeclinedPublic

Event Timeline

@labster The extension looks very simple, as it only has a short (113 line) php file. All it does is take the SRC from videos, so it should really not have any security concerns. I'd say it can be approved, just need a quick approval from you.

Well, not so simple actually. Currently declined due to security issues (arbitrary JS insertion), but easily fixable. I'm going to see if the author will merge someone else's PR from 5 months ago. If he does, then it's worth me writing the code to fix the issue.

User no longer requires the extension.

labster added a project: Upstream.

Actually, that was someone else's PR from 17 months ago... oops.

I opened with a detailed description of how to exploit it. Unless that gets fixed, we won't be installing this extension here. The word vulnerability might get his attention -- or it might not. And it looks like 1.30 may get some <video> support, so this might become a moot issue before this extension gets fixed.

Setting status to Stalled for now. If nothing happens in a month, we'll decline.

John lowered the priority of this task from Normal to Low.Sep 4 2017, 10:30

Widget:Html5mediaAudio will probably be okay for T1628 and T1538

John subscribed.

Secure alternative accepted above. No other requests for this specific extension.