Forum:Javascript for page content

An interesting comment has come up on one of the wikis that I'm participating on (see: c:runescape:Forum:Java calculators) and it got me thinking about the issues involving Javascript that could be added in some manner to page content.

First of all, what sort of legitimate security issues are there in regards to Javascript content in individual wiki pages that would make it so you wouldn't want to have it as HTML code within a normal editable page? Most HTML markups can be used (often isn't necessary, but it is available) when doing wiki mark-up. Javascript is one of the things that is explicitly removed from any wiki-editable page by ordinary users.

I know you can add/edit Javascript in the skin definitions, such as with MediaWiki:Common.js (a page found on nearly every Mediawiki wiki), but this is something that loads with each and every page. What I'm looking for is something that can load for a specific page only, such as a user page or in this case something like a pocket calculator. I'm even thinking here of something that could be used for demonstrating concepts of Javascript as a sort of tutorial.

The security issues are very legitimate here, I should add. I understand why Javascript shouldn't be opened up for any anonymous users randomly editing any wiki and throwing some Javascript that could potentially do some real damage. One of the approaches I'm thinking of here is some method (like an extension) that would link in an editable page that would contain the Javascript which is linked to the normal wiki page you want it linked to... sort of how talk pages are linked to a normal page. This would be something in a completely different namespace (for a variety of reasons) that could only be edited by administrators/sysops and perhaps a new user class called "Javascript editors" that are of similar trusted caliber.

Maybe I'm being too ambitious here, but it would be interesting to see some experimentation of a wiki community that had access to some of the rich content that could be developed with Javascript. Most of the current web browsers support Javascript (under whatever name they may be using... there are several names for nearly the same thing) in some fashion and it would be interesting to see what real issues might be a problem on a test wiki or two.

I'm bringing this issue up here both because I'd like to try this idea out with a wikia wiki (Wikia seems more open to this sort of experimentation) and there may be some solutions to doing something like this that I'm unaware of... or even an extension of MediaWiki that is already written to accommodate a request of this nature. I'm open to other ideas that aren't so drastic as having a whole namespace linked to content pages as well. The point is that I'd like to develop some Javascript applets that mix in with the already rich content found with wiki pages, and allow Javascript to be developed in a similar collaborative manner with multiple authors. --Robert Horning 14:41, 13 April 2009 (UTC)
 * You could make a template with a special class or id, and then write a script that identities that template's class or id and then preforms the desired function on the the page that the template is on; howver, I don't know much about JavaScript. --Michaeldsuarez (Talk) (Deeds) 14:52, 13 April 2009 (UTC)


 * Allow untrusted users to add/modify JavaScript code that would execute to all users is a really hight security hole. There are several ways of making scripts load on certain pages, or where certain elements in the page are displayed. But first of all you need to learn javaScript and have a clear idea of what do you want to do. A wiki is a good system for building collaborative texts, but not for coding. For that there are several other solutions, one of them is GitHub --Ciencia Al Poder (talk) -WikiDex 15:42, 13 April 2009 (UTC)


 * I understand Javascript. That isn't the issue here.  I'm also not suggesting that untrusted users be able to add or modify Javascript either.  I am suggesting that administrators or similarly trusted individuals who already can modify and manipulate Javascript anyway on a wiki can have a small Javascript applet that applies to only one page, and that the Javascript for that page is not loaded with any other page.  As it stands now, any Javascript that is created is applied to each and every page in the entire wiki.  That is fine for skins, but not for individual page or for specialty tools that could be user created and manipulated.


 * One of the things we have done on the Runescape wiki is to create a sort of wiki as a database system. There are some amazing things you can do with templates, but there does reach a limit in terms of how far you can go with the MediaWiki templating features.  In this case we are seeing some way to have a user editable field (drop-down box or other such tool) that doesn't require re-writing the underlying page each time a user wants to manipulate the numbers.  I'm also looking at importing some of the information via templates that could be put directly into the Javascript too.


 * BTW, I think your dismissal of the wiki editing process for developing software is simply a lack of imagination. Remember, Javascript isn't compiled, and it is sent raw to your web browser via http requests.  There is essentially no difference between Javascript and any other html formatting tags... at least to the wiki engine.  The only real difference in MediaWiki is that the Javascript is deliberately stripped out of the page so it won't get forwarded to the end user.  What I'm proposing here is some method of putting a quarantine on the Javascript that would be protected from editing by any user and segregated from the ordinary wiki mark-up.  In this case, MediaWiki would have to merge the contents of both the ordinary wiki mark-up text and the Javascript.... but one part could be edited by anybody and the other part could only be edited by trusted users.


 * I happen to like Source Forge for open source software projects, but this isn't the same thing. No compilation is necessary, so we don't have to go through that extra step, or get more complicated.... and I am talking about having applets that can be directed integrated into the content of the wiki itself instead of linked via an external website. --Robert Horning 15:08, 14 April 2009 (UTC)


 * I'm sure your reasons are worthwhile, but I would like to let any Wikia staff reading this know that I do not want JavaScript enabled any more than it is already. I know I'm fighting a losing battle, but the concept of "trusting" users to put code on a public web site that executes on my computer is bizarre to the older-but-wiser crowd. JohnBeckett 03:09, 15 April 2009 (UTC)
 * Public websites execute Javascript on your computer all the time and as far as I know Wikia wikis won't let just any user insert Javascript executable code into a page without knowledge and cooperation of the admins. I don't think Robert Horning is advocating a wide-open usage and most likely what he wants can be achieved in the framework of most wikia wikis.
 * Of course scripting is disabled on my browser (including here), but I agree that your comment applies to most users. JohnBeckett 10:07, 16 April 2009 (UTC)
 * That said, I wouldn't let any user put Javascript anywhere without some sort of security mechanism. If Javascript can change on a per page basis, users should be given the opportunity to opt-out of executing that Javascript on a per page basis as well. Also, unlike most HTML or CSS, Javascript has a much easier path to crashing your browser, which is a very bad thing. -- Fandyllic  (talk &middot; contr) 4:50 PM PST 15 Apr 2009


 * I have read and i cant seem to understand what is the problem? there are already javascript pages, and inside them there can be scripts that call "other pages" to load more scripts if the conditions are met (in this case a specific page) --

fake extension
Usually, functionality such as you suggest would be added using a mediaWiki extension. Why don't you fake an extension? Introduce some markup, and have site Javascript that loads and executes the "page javascript" thus marked. It would mean a common JS function that scans pages for this markup, but the page-specific markup wouldn't always be loaded.

I'd have the markup designate a wiki page that only hold the javascript itself (ending in .js); and it would only execute if
 * 1) that page was in MediaWiki: namespace (so only admins could edit it; this doesn't create a security problem as the admins can edit site javascript anyway), or
 * 2) on a page where the user executing it is the last (top) contributor (so users can run it on their personal sandboxes for themselves).

The markup could be, for example:  That way, the "loader" can enumerate div elements of class "load_javascript" and load the pages noted in the IDs (, of course).

You could implement this without Wikia help. -- ◄mendel► 00:31, 18 April 2009 (UTC)


 * I dont know if its still valid but in the past non-sysops could create pages at MediaWiki namespace, but they cant edit it. So they could insert a ready to hack javascript and just put the trigger on main the main page. --


 * Superficial testing shows that if that is still possible, it requires a nonobvious avenue to do so. It'd be a serious bug (even not considering Javascript) if that was possible! -- ◄mendel► 10:10, 18 April 2009 (UTC)