Embedding and Scripting on Wiki Pages

1 Requirements

Right now, embedding objects by using small scripts or HTML snippets is escaped by default in the wiki due to security reasons. In terms of default behaviour, especially conmsidering "public" wikis, this is a good solution.
 
However, in university settings wikis are often used in a controlled "classroom" scenario with write access only for a small group. Intuitively, users expect to be able to embed youtube / vimeo or other content for example via iframes. Course admins, for instance, can already embed content with the "Design Page" functionality in courses, groups and folders, but are not able to do this in a wiki.
 
Thus, escaping of scripts should be configurable for each wiki. The default setting should still be  "disabled" so that course admins have to enable it actively. This could be realized by a simple checkbox on the wiki settings page.

2 Additional Information

• Idea / concept: Marko Glaubitz, marko.glaubitz@rz.uni-freiburg.de
• Funding:  Universität Freiburg
• Maintainer: (will be set by Jour Fixe)
• Implementation of the feature is done by (company, developer)
• Contract settled: No
• Tested by / status: (name, e-mail), (status information set after implementation)

3 Discussion

Killing, Alexander [alex], 2 June 2015: First of all I think, that we really should improve the handling of media elements, which are supposed to provide the Youtube functionality (they do, but many users do not seem know how). There are lots of advantages to not having complex HTML structures in your content, but well-defined items that are stored independent of their rendering (e.g. migrating Youtube rendering beteen different media players, which is impossible if you use HTML directly).

In general it would be easy to provide an implementation that enables/disables the HTML rendering globally, like it is provided for blogs. But this feature requests asks for controlling this on the level of the single object, and this quite hard to handle. "Course admins" as suggested do not exist for wikis in general. If the behaviour is just controlled by "a simple option on the settings" screen, ILIAS administrators have no control anymore at all. Every place where wikis are created by students (e.g. groups) would give them the possibility to activate HTML rendering and add XSS code. We would need to let at least run a purifier over it, imo. What I also fear is a decrease of usability, if single Wiki objects behave differently.

Glaubitz, Marko [mglaubitz], 24 June 2015: Ok, then let's think about a global solution that is similar to the blog. In my opinion, there is little difference between studnets being able to post HTML content on a blog and writing HTML content on a wiki page.
However, there must be a way to use embedding scripts, for example, to embed videos from a self-run streaming server. Simply providing a solution for Youtube by using the current media object implementation narrows possible media source down too much for us.

Zenzen, Enrico [ezenzen], 12 SEP 2022: This request no longer fulfills the requirements of the Feature Wiki. In consultation with the maintainer I change the status of the feature request to "Redundant / outdated". If the request is still relevant, please update template and mockups.

4 Implementation

...