FANDOM


This page documents technical support requests to Wikia via Special:Contact (e.g. bug reports, extension requests, server/cache problems, etc.) and replies - anything that's relevant for future reference.

Records before Jan 2012 are not available.


Youtube embeds and Safari browser (23 May 2012)

Hello.

I noticed that Youtube videos embedded on Wikia wikis started to use the AS3 version of the player about a week ago. Chrome, IE10, Firefox, and Opera all display the AS3 player. Only when browsing using Safari are all the videos presented using the AS2 player. I checked both Kirby Wiki (http://kirby.wikia.com/wiki/Nebula_Belt) and the help wiki (http://help.wikia.com/wiki/Help:YouTube_extension) and results are consistent cross-wiki.

Now this wouldn't be a problem with traditional videos, I suppose, but if we are hiding the video part and only using the player controls, the AS3 player is 10px higher than the AS2 one due to the relocated seek bar. On the said page on Kirby Wiki, for example, the video under the Video section works fine using both versions of the players, but under Music where only the player controls are displayed, the majority of the browsers are displaying AS3 now so I expanded the template to show the full player controls, but Safari still uses AS2 so there is 10px of video displayed on top of the controls.

I thought this was a problem on Google's end until I checked this using Safari (https://developers.google.com/youtube/youtube_player_demo)

Safari displays the AS3 player properly.

Is this an issue with the Youtube extension v1.10 (of the wiki) showing under Special:Version? If it is, is the AS3 player going to be implemented for Safari, or if it's not, what's causing this?

System details: I'm running Safari 5.0.5 (7533.21.1) with no extensions on Windows 7 x64

Thanks.

Changtau2005
KirbyKSSUwalk Poyo!
Hi,
Thanks for contacting Wikia. Unfortunately we have no control over which player youtube serves, so you can't adjust that aspect. The css you use to hide the video seems to be causing part of the issue. You can target it to safari only by checking out this link. http://www.webmonkey.com/2010/02/browser-specific_css_hacks/#Safari This hopefully should help. A front end engineer recommends that you move to using classes, and that you can try the following:
@media screen and (-webkit-min-device-pixel-ratio:0) {
   .video-controls { height: 20px; } /* for example */
}

Thanks and hope that helps!
Sarah
---
Sarah Manley
Wikia Community Support


Verbatim tags disabled (1 September 2015)

Archived from talk page (permalink)

Hi Wikia,

We've been using verbatim tags to document music throughout the site and for custom templates. This feature has been in use for years already, and is built very deeply into some of the articles. Our users have been wondering why these templates suddenly stopped working, and from how I see the parser handles the verbatim tag, and from here, [http://community.wikia.com/index.php?title=Help%3AVerbatim_tags&diff=1579121&oldid=1557696], I believe that it has been silently disabled a few days ago.

Could you please re-enable it on Kirby Wiki?


Best,
changtau2005
Kirby Wiki technical admin
Changtau2005
KirbyKSSUwalk Poyo! 12:14, September 1, 2015 (UTC)

Staff reply:

Hello,

Thanks for contacting Wikia.

Verbatim is being phased out of Wikia due to security concerns. It allows for raw injections of HTML and JavaScript into our site. We are instead building replacement tools - Twitter tags, Facebook feeds, video embeds - to replace this feature. If there is a specific use case on Kirby you would like consideration for, please give me a link to how you are currently using Verbatim.

Timothy Quievryn
Director of Technical Support
Wikia Community Support Team

Follow-up:

Hi Timothy,

I guessed that's probably why its been phased out, either that or a policy change. However, we do use it for soundtrack documentation precisely because there is no other way to do what we want with the default players. Moreover, since only adminstrators can modify the MediaWiki pages required to construct the HTML for each pair of verbatim tags even before this change, it's not quite the same as arbitrary code injection. If there's a specific vulnerability in a code snippet that you are aware of within Kirby, perhaps it would be better to talk to us about it directly? Usually the other admins delegate this kind of stuff to me since I'm a data scientist / software developer myself, so feel free to use technical language if it makes explaining the problem easier.

The main templates that use the verbatim tags are:
* http://kirby.wikia.com/wiki/MediaWiki:YoutubeIframeSingleVideo
* http://kirby.wikia.com/wiki/MediaWiki:YoutubeIframePlaylist
* http://kirby.wikia.com/wiki/Template:YoutubeIframe/Core
* http://kirby.wikia.com/wiki/Template:YoutubePlaylistPlayer
* http://kirby.wikia.com/wiki/Template:Youtube

We currently use it to invoke an AS3 player, which is sizable to whatever aspect ratio we want. It also interfaces with a small piece of JavaScript within Common.js that sends AJAX requests to Youtube on page load for playlist data via the gdata API.



Best,
changtau2005
Changtau2005
KirbyKSSUwalk Poyo! 19:22, September 2, 2015 (UTC)

Staff response:

Hello,

Thanks for contacting Wikia. Unfortunately, you are incorrect. The code you linked below does allow for arbitrary code injection. This is exactly the reason why these code pairs were disabled.

As of right now, the only fallback to this is the YouTube tag: http://c.wikia.com/wiki/Help:YouTube_extension

We are currently working on replacements for audio players, such as spotify and soundcloud. We are aware of a need for audio only streams and working on getting a replacement. There will be more details to come in our Technical Updates ( http://c.wikia.com/wiki/Blog:Wikia_Technical_Updates) , so please keep an eye peeled for them. You can subscribe to the Technical Update blog by clicking the link on this page: http://c.wikia.com/wiki/Blog:Wikia_Technical_Updates?action=watch .

Timothy Collins
Community Technical Support

Follow-up:

Hi Tim,

Can you point out which part (the line number, etc) allows for code injection, and can you give an example? Just saying that I'm incorrect is not specific enough to be help us fix this stuff, nor is it enough for me to explain why 10% of our stuff is broken to the rest of the administration team, much less the users who don't have any idea of what's going on.

Since the explanation on the page explaining verbatim tags specifically says that it is enabled for certain communities, can you explain which of the use cases are immune to code injection, or if otherwise, why they are allowed, while ours is not? Is it something as simple as requiring sanitization of parameters passed from template calls, or is it something else altogether?



Best,
changtau2005
Changtau2005
KirbyKSSUwalk Poyo! 22:49, September 3, 2015 (UTC)

Staff response:

Unfortunately, I cannot, as doing so would explain how these vulnerabilities could be used against us. This is the reason that my reply was vague.

The pages that have been whitelisted have been sanitized ( https://en.wikipedia.org/wiki/HTML_sanitization ) to prevent HTML from being added. The templates you were using rely on snippets to be 'injected' into the HTML and thus is not sanitized. You can view the current whitelist here: http://c.wikia.com/wiki/Help:System_messages/whitelist

Unfortunately, the version of script you were using not only adds a site vulnerability, but it is actually against YouTube's Terms of Use in that "no video can be streamed at less than 200px height".

As I mentioned before, we do recognize this as being a need within the communities and are working on a replacement tool now to allow this feature once again that does not allow for script injection.

Please understand and I thank you for your patience.

Timothy Collins
Community Technical Support

Follow-up:

Hi Tim,

Thank you. That explained quite a lot more to me. From what you've just said, I take that using verbatim to insert HTML, partial or otherwise, is no longer allowed.

I'm not a MediaWiki expert, but I thought our implementation lets administrators insert arbitrary things, yes, as long as the template is protected, but for input captured from template fields, since they are outside of the verbatim tags, shouldn't those be sanitized first, before MediaWiki makes it part of the HTML, like how it happens normally without verbatim at all? Maybe {{int:}} changes the order by which sanitization / template expansion happens, I don't know. I don't see a way that I can try to do a hello world with how things stand, so I'll have to take your word for it, that there is a way for any user to execute arbitrary code, namely there must be a loophole in this sanitization process for verbatim somewhere that I'm not aware of.

This is partly a separate issue, but I'm trying to see what options we have to carry this forward other than using pre-made plug-ins (that are not currently available) that may or may not fully do what we want. I've noticed that Common.js and Wikia.js are also no longer editable (at least by me). Are administrators no longer allowed to tweak global JavaScript, presumably because it also lets us insert arbitrary HTML or execute custom scripts? Assuming verbatim stays disabled, are the JavaScript pages going to stay this way? I fully understand (and appreciate) your commitment to security, but this degree of customization is what MediaWiki so attractive as a platform. I understand administrators shouldn't be able to change LocalSettings.php, but all global JavaScript? I know Wikipedia self-administrates and has a vetting process for global JS at the pump or talk page, but aren't the JavaScript pages still editable by admins on Wikipedia, and is there a reason for the different stance Wikia is taking from Wikipedia, namely what kind of security risks is Wikia trying to protect us/itself from by disabling custom JS?

Thank you for responding to my queries so far.



Best,
changtau2005

Staff response:


At the current moment, verbatim usage to insert HTML is not allowed. We are still unsure of how that will be moving forward. We are still trying to find a solution with the least bumps in the road.

I can assure you I did test your set of templates and the vulnerability does exist with them in their current state.

The goal is not to have site JS locked down, no. It's only currently locked down until we have a review process in place (it's going beta soon for testing). After that process is in place, all wikia's will have their JS unlocked and be editable. This ensures that going forward, we do not have the same site vulnerabilities we had recently. Since you seem to know JS a good deal, I will be giving you 'codeadmin' rights on your wikia. This will allow you to edit your site's JS.

Timothy Collins
Community Technical Support

Response:

Hi Timothy,

Thank you. I now have a far better understanding of what is in the pipeline and what changes to expect. Let's leave verbatim disabled. Going forward, if there are (or there will be) a set of guidelines or checks somewhere as to what is acceptable in JavaScript to pass review, (which I assume is some automated test or process) I'd appreciate a link to the technical update, article, or equivalent.

Thanks again for answering all my questions.

Best regards,
changtau2005
Whoo, that was quite a long exchange, but it was a good one. Timothy (User:Rappy 4187) has given me codeadmin rights (log), so I can once again edit JavaScript pages. I'll not try to fix the playlist players before the JavaScript review is in place, as otherwise if the changes aren't allowed, it may potentially be a waste of time. For the single video players, I think I'll make it fall back to the Youtube plugin, at least temporarily. I'll see when I can make some time to have a good look at the template so I don't break stuff. Changtau2005
KirbyKSSUwalk Poyo! 23:27, September 7, 2015 (UTC)


See also