install "RSS" extension on



Infrastructure & Operations
WebOps: IT-Managed Tools
5 years ago
4 years ago


(Reporter: Gavin, Assigned: jakem)


Bug Flags:
sec-review +


This would be useful for incorporating status updates from into weekly meeting notes.
jakem, is this something your team can help with? Do I need to file a secreview bug?
Flags: needinfo?(nmaul)
I would get a secreview.  Wikimedia uses this on the Foundation wiki, but it has restricted access.
Flags: sec-review?
requesting sec-review from Yvan for now so this doesn't get lost. A recent bugzilla change broke our queries and the needinfo request is effectively hiding this bug (see bug 828344 comment 72)
Flags: sec-review? → sec-review?(yboily)

Comment 4

5 years ago
I have no concerns about this apart from sec-review. Seems like it'd be easy to install.

The sec-review flag should be sufficient for starters. They'll tell us if they want a separate bug. Usually seems to depend on how trivial the thing being reviewed is. This plugin doesn't seem *too* complicated...
Flags: needinfo?(nmaul)
Flags: sec-review?(yboily) → sec-review?(sarentz)
My only concern are these two config options:


When set to true, they will allow <A> and <IMG> tags in article bodies. I am not concerned about links and images but they do not seem to filter out HREF and SRC attributes that point to javascript: sources.

I'll dig a little deeper. Should have an answer tomorrow.
Ok so Mediawiki does have a Tag and Attribute sanitizer and they do filter out Javascript, also on content of RSS feeds.

I think the risk for this plugin is low, but I would recommend to use the $wgRSSUrlWhitelist setting to limit the RSS feeds to ones we know and trust.

So looks good, go ahead.
Flags: sec-review?(sarentz) → sec-review+
I don't know how the whitelist works exactly, but I am most interested in including RSS feeds from
Assignee: nobody → nmaul

Comment 8

4 years ago
Moving to the proper component so we can get this installed! :)
Assignee: nmaul → server-ops-webops
Component: → WebOps: IT-Managed Tools
Product: Websites → Infrastructure & Operations
QA Contact: nmaul
Version: unspecified → other

Comment 9

4 years ago
Sorry for the very long delay.

I've rolled this out on and Would you care to confirm that it's working and nothing seems horribly broken? (that is, nothing that wasn't already broken anyway!)

If this looks good, it's an easy deploy to production.
Assignee: server-ops-webops → nmaul
Wow, thanks. I'm getting:

Extension:RSS -- Error: "" is not in the whitelist of allowed feeds. There are no allowed feed URLs in the whitelist.


Can you adjust wgRSSUrlWhitelist to include I'm not sure what form the whitelist takes... is where I was testing this.

Comment 12

4 years ago
Ah! I didn't realize it used an allow/deny list. Sure... done.

Sadly, it appears that his feed is an Atom feed, not an RSS one. Compare:

The former uses and, which are both RSS feeds. All 3 feeds render similarly in Firefox, but bsmedberg's renders very poorly on wikimo using this extension.

Next step for that particular feed might be to reach out to him to see if there's a usable RSS feed, or if one could be worked up. Failing that, finding a similar extension that can render Atom feeds (after a cursory search, I haven't found anything obvious). Failing that, there are libraries and/or services that purport to convert an Atom feed into RSS... I have no idea what sort of risk that might pose or how complicated they would be to set up (I tried the free one at, and the RSS extension balks at the generated XML).

Comment 13

4 years ago
I've deployed this to production and populated the whitelist with a handful of obvious Mozilla feeds (including bsmedberg's, even though it's an Atom feed and doesn't render properly).

Sorry the feed you wanted didn't work out. If we can come up with another possibility (a similar extension for Atom feeds, or a conversion, or a new link to an RSS feed), please re-open this or file a new bug as appropriate. Thanks!
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.