Board Thread:General Discussion/@comment-281395-20151126112638

This post refers to w:c:tibia:Main Page.

Wikia have reviewed our wiki's JavaScript. JavaScript that we had in place for years before the reviewing process was introduced.

And rejected it. On the basis that it is insecure. It is insecure, I will admit. It's insecure because an administrator could replace the JavaScript with something malicious. Because it's not reviewed by the flawless, uncompromisible wit of the Wikia staff who are employed to review this JavaScript code.

So, in the interest of security, Wikia have commented out most of our JavaScript, thereby disabling the functionality of many features. There was no warning, no suggestion to change, no timeline; just a dick move that disrupted the community. It took 4 days to have that code reviewed. And it will take another four days to restore the functionality once the code is written to work around the security restrictions. Once it is written. They claim it to be easy to do, but Wikia's API is insufficiently documented, so there's nothing to refer to. We have no clue how to do it, and I asked them to clear up discrepancies within the API documentation. And the support ended there.

Here are the main features that were commented out.

Mapper - a world view of the game's world map. This map is the most linked to page because we have a script that pops up a map showing the locations of NPCs, places, etc.. Or we did. It's gone.

Outfiter - a script that generates in-game outfits for viewers to experiment before they purchase or obtain outfits in the game. Very popular, it was.

Calculators - various scripts that calculate loot value and other in-game statistics.

Loot Statistics - allows users an easy way to upload loot for our ongoing stagnant project of documenting drop rates of creatures.

All of these were hugely popular. Now they have been disabled in a heartbeat ruling. Code that has worked for years with little maintenance must now be recoded to comply with Wikia's added restrictions. Easy, they say. Just move it to the MediaWiki namespace and use their APIs to load it. But we can't, because the only documentation provided does not indicate how we would include custom HTML since we require HTML5 elements that are not rendered by MediaWiki. So I asked the person who commented our code on the discussion thread that he created. And the support ends there.

And now, the funny part. One of the scripts that they had removed was a script that queried the API and warned the user if the last editor is new and if the page hasn't been editing in a while. It would warn them, because we were a huge target for vandalism in the past. Not just simple vandalism that adjusts the price of items or throws racial slurs on random pages. Rather, hackers would post links to drive-by download websites with a warning that the users' "Java was outdated and they needed to download a file to browse the wiki".

I spent 40 minutes cleaning up vandalism today. 110 edits over the course of the day. These 110 edits would not have happened if we had those warnings showing. These were edits to our most popular articles, so they had high visibility. Luckily, we still had the limited protections provided by Wikia's inadequate attempts to secure our wiki in the past. The abuse filter prevented some of their edits and forced them to create more accounts. I blocked 12 vandal accounts.

So, to summarize; in the interest of security, Wikia have commented all of our scripts, which has facilitated in the compromise of game accounts and disabled the functionality of our most popular features.

@Wikia: Congratulations. I hope you are proud of your success.

If you're serious about security and customer support, I would highly recommend firing Rappy_4187. He is incompetent and should not play any role in support. Thanks, and have a nice day. You have proven that Wikia is a poor platform for any serious project, at least to me.

If you're serious about security, why not block all edits since people will find ways around your system anyway? These vandalism outbreaks are nothing new for us. They must be successful to some degree if they continue. In the interest of security, wouldn't it be ideal to lock everything down and manually process every single edit? No? I didn't think so. Administrators are trusted with a few additional privileges, but by selectively reviewing only script changes you are effectively incriminating us. We aren't sketchy. Just because one person on one wiki made a malicious script change, doesn't mean we all will. The same mentality is not applied to regular users, who can cause the same damage in other ways. 