https://bugzilla.wikimedia.org/show_bug.cgi?id=24199
Jan Schejbal <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|Low |Normal CC| |[email protected] Severity|enhancement |critical --- Comment #8 from Jan Schejbal <[email protected]> 2012-08-08 00:34:12 UTC --- I was able to perform XSS on revision 72454 and have no reason to believe this wouldn't work with current versions. I do not want to publicly disclose the exploit. That $wgRawHtml hack really needs to go away. Setting such a global variable and never changing it back (!) sounds like a great way to cause nasty security issues everywhere. I have set severity=critical, priority=normal, please correct it if that was wrong. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
