From XOWA: the free, open-source, offline wiki application


Java vulnerabilities (and the resulting patches) are often in the news. However, most of these vulnerabilities affect machines with the Java browser plugin. A machine can have Java installed and be largely unaffected by these vulnerabilities -- so long as the Java browser plugin is disabled. If you want to check that the Java browser plugin is disabled, you can review the instructions at this link:

For Firefox, these are the steps I used to verify that the Java browser plugin is disabled.

  • From the Menu Bar, do "Tools" -> "Add-ons"
  • The next page will list "Add-ons". For my machine, "Java(TM) Platform SE 6 U32 6.0.320.5" was listed. It was marked "(disabled)"
Note that recent builds of Firefox will disable the Java browser plugin by default.

Finally, although XOWA uses Java and is a browser-based app, it does not use the Java browser plugin in any manner.


XOWA uses Javascript throughout the app for MathJax, sortable tables, reference tool-tips, and many other functions. Javascript is a versatile language for working with web pages, but that same versatility also makes it a vector for attack. There is always a possibility that malicious Javascript could be added to a wiki page, and that this malicious Javascript could make its way to your machine.

XOWA tries to control this situation in the following ways:

  • XOWA uses the same whitelisting approach that MediaWiki uses to block Javascript from being executed on wiki pages.
  • XOWA filters out javascript again just before rendering pages
  • XOWA has a flag to disable javascript entirely. Note that this will reduce much of the functionality of XOWA. It can still be used to read wiki pages, but the functions listed above will not work.

In order to disable Javascript, you can uncheck the Javascript option at Options/Security



Getting started