History: Plugin Security
Preview of version: 8
Plugin Security
By default, Wiki Syntax is designed to be safer than HTML. If we let users just use any HTML & Javascript (which is , some could do nasty things like XSS
Thus, when a plugin is potentially insecure, it must be approved by someone with appropriate permissions.
The permissions involved are:
| Permission | Description |
| tiki_p_plugin_approve | Can approve plugin execution |
| tiki_p_plugin_preview | Can execute unapproved plugin |
| tiki_p_plugin_viewdetail | Can view unapproved plugin details |
Plugin Approval
Starting in Tiki 3, the usage of potentially dangerous plugins needs to be validated in a case by case basis. An admin can do that through tiki-plugins.php.
Then, if you go to one of those pages listed in the previous list, you'll find a box with the option to see the details to that plugin usage. Users with the required permissions will be able to preview and validate or reject them.
Plugin Manager
Plugins can be enabled or disabled on a sitewide basis by an admin. So if you don't need it, turn it off.