On 11/02/2015 05:11 AM, Brian Wolff wrote:
We already reserve data-ooui (by reserve, I mean blacklist in the
sanitizer). But it feels wrong to use that for parts of mw that are
not ooui. I would like to propose that we reserve data-mw- prefix as
well for general usage by mediawiki/extensions
Occasionally its useful to pass trusted data to javascript using data
attributes on elements that you know is not from the user. In the
past, there has been security issues from using the data attribute for
information that is assumed to be trusted, but in reality could be
messed with by the user.