FlexForm is a very powerful tool. It can create new pages or edit existing ones. It can create new users, send emails and much more. With this much power comes responsibility.

Luckily FlexForm has a lot of security features build-in.

LocalSetting configuration

This setting should be always be on. It will filter any user input. Create checksums for each form to detect tempering. Will renders Forms that make no sense when inspected by the Browsers Developer tools. And more.

$wgFlexFormConfig['secure'] = true;


By default the option to have FlexForm create users with a Form is turned off

$wgFlexFormConfig['can_create_user'] = false;


Set a group of users that can have special privileges using FlexForm. Here we set the sysop and moderators to have these privileges.

$wgFlexFormConfig['allowedGroups'] = ["sysop","moderator"];


This option will only allow users in the allowedGroups to edit a page that contains a FlexForm in its source. Making it for anonymous or others users not possible to change a FlexForm Form. On top of that, the edit and edit source options in the top menu, if available, will not be shown. Actions like edit or vedit are also blocked.

$wgFlexFormConfig['hideEdit'] = true;


With the next option, FlexForm will check if the action it needs to do (create or edit a page) is allowed for the user filling in the Form. Example: You have a Form to edit a Template on your main page. The Form can be anywhere in the wiki. FlexForm will check on Form submit if the user is allowed to edit the main page first. When you set this option to true, then no such check will be done.

$wgFlexFormConfig['userscaneditallpages'] = false;


This option is very powerful and will only render approved or valid forms. Basically, any form created or edited by a user in the allowedGroups setting, automatically validates a form. For more detailed information : Documentation on Validated forms

$wgFlexFormConfig['renderonlyapprovedforms'] = true;

Other options

By default, a FlexForm form is never rendered for an anonymous user. You can change this by adding a restrictions="lifted" to a Form tag. This can be useful for e.g. a contact form or questionnaire. Be sure to setup the build-in reCaptcha options in Flexform when allowing anonymous form submit!

When creating a user input in a Form, FlexForm will by default always filter the input for html, JavaScript or malicious code. You can however specify per input what is allowed and what is not. More information here : Default input HTML attribute

Especially when you have a "closed" wiki, where people need to register and will get their rights through user groups, it is a good option just not to show a Form to someone from a user group that is not allowed to use it.