https://bugzilla.wikimedia.org/show_bug.cgi?id=33330
--- Comment #24 from Saibo <[email protected]> 2012-06-11 23:51:04 UTC --- Looks good, thanks! The following seems to be /not/ an issue here since everything gets properly escaped/passed by jquery.. but, in general, one has to be careful with the language code: Opening > https://commons.wikimedia.org/w/index.php?title=Special:Preferences&uselang=%22%20%6f%6e%6d%6f%75%73%65%6f%76%65%72%3D%22%61%6c%65%72%74%28%27%79%6f%75%20%68%61%76%65%20%62%65%65%6e%20%78%73%73%65%64%21%27%29%22#mw-prefsection-uploads and running > alert(mw.config.get( 'wgUserLanguage' )); returns " onmouseover="alert('you have been xssed!') If that language code gets embedded into to some link ... -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
