I’d also like to discourage the Mustache “.” feature (“current context”, as
in {{#html-items}}{{{.}}}{{/html-items}}), at least in unescaped HTML (i.e.
{{{.}}}) but perhaps also in escaped HTML ({{.}}) – it made one of the
related issues much harder to debug for me, because I couldn’t even find
On 2023-09-29 19:55, bawolff wrote:
This is clearly yielding some interesting results.
One of the patterns i've noticed is that several of the examples seem to
involve mustache templates. I think there are two reasons for this:
* mustache templates cannot currently be checked by
This is clearly yielding some interesting results.
One of the patterns i've noticed is that several of the examples seem to
involve mustache templates. I think there are two reasons for this:
* mustache templates cannot currently be checked by phan-taint-check
* Because they are a separate file,
>
> If the developer setting $wgUseXssLanguage is set to true, then an “x-xss”
> language code becomes available and can be selected with *?uselang=x-xss*
> in the URL. When using this language code, all messages become “malicious”:
> every message is replaced by a snippet of HTML that tries to