MediaWiki extensions manual - list

Release status: beta

Implementation Parser extension
Description Framework for embedding scripting languages into MediaWiki pages
Author(s) Victor & Tim (Tim StarlingTalk)
License No license specified
Download Download snapshot
Subversion [Help]

Browse source code
View code changes

Check usage (experimental)
Bugs: list open list all report

Scribunto (Latin: "they shall write") is an extension for embedding scripting languages in MediaWiki. Currently the only supported scripting language is Lua.

Usage Edit

Scripts are contained within a new namespace called "Module". Each module has a collection of functions, and the functions can be called using wikitext syntax such as:

{{#invoke: Module_name | function_name | arg1 | arg2 | arg3 ... }}

Installation Edit

Scribunto comes with bundled Lua binaries for Linux and Windows, on Intel 32 and 64 bit platforms. If you have one of these two platforms, Scribunto should work for you out of the box.


For a more pleasant user interface, with syntax highlighting and a code editor with autoindent, install the following extensions:

Then in your LocalSettings.php after all the extension registrations, add:

$wgScribuntoUseGeSHi = true;
$wgScribuntoUseCodeEditor = true;

Additional binaries Edit

Additional Lua binaries can be obtained from or from your Linux distribution. Only Lua 5.1.x is supported. Configure the location of the binary file with:

$wgScribuntoEngineConf['luastandalone']['luaPath'] = '/path/to/lua';

LuaSandbox Edit

We have developed an extension to PHP written in C called LuaSandbox. It can be used as an alternative to the standalone binaries, and will provide improved performance. To install it, install the headers and library files for either Lua 5.1.x or LuaJIT 1.1.x, as well as PHP, then run:

git clone
cd luasandbox
make install

Lua Edit

Lua is a simple programming language intended to be accessible to beginners. The best introduction to Lua is the book Programming in Lua. The first edition (for Lua 5.0) is available online and is mostly relevant to Lua 5.1 used by Scribunto:

The reference manual is also useful:

Lua environment Edit

In Lua, the set of all global variables and functions is called an environment.

Each {{#invoke:}} call runs in a separate environment. Variables defined in one {{#invoke:}} will not be available from another. This restriction was necessary to maintain flexibility in the wikitext parser implementation.


The environment which scripts run in is not quite the same as the one documented in the Lua reference manual.

The following functions have been modified:

May not be available, depending on the configuration. If available, attempts to access parent environments will fail.
Works on tables only to prevent unauthorized access to parent environments.
Pointer addresses of tables and functions are not provided. This is to make memory corruption vulnerabilities more difficult to exploit.
Certain internal errors cannot be intercepted.
Can fetch certain built-in modules distributed with Scribunto, as well as modules present in the Module namespace of the wiki. To fetch wiki modules, use the full page name including the namespace. Cannot otherwise access the local filesystem.

The following packages are mostly removed. Only those functions listed are available:

Filesystem and C library access has been removed. Available functions and tables are:
Loaders which access the local filesystem or load C libraries are not present. A loader for Module-namespace pages is added.
There are some insecure functions in here, such as os.execute(), which can't be allowed. Available functions are:
Most of the functions are insecure. Available functions are:

The following functions and packages are not available:

No application is known for us, so it has not been reviewed for security.
io.*, file.*
Allows local filesystem access, which is insecure.
These were omitted to allow for static analysis of the Lua source code. Also, allowing these would allow Lua code to be added directly to article and template pages, which was not desired for usability reasons.
This was discussed on wikitech-l and it was decided that it should be omitted in favour of return values, to improve code quality. If necessary, mw.log() may be used to output information to the debug console.
May expose private data from parent environments.

Design documents Edit

Other pages Edit


Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.