https://bugzilla.wikimedia.org/show_bug.cgi?id=40124
--- Comment #8 from Bartosz DziewoĆski <[email protected]> 2012-12-01 18:23:06 UTC --- To expand on my final words: it might make sense to HTML-escape the contents of unknown preferences by default, to protect the sloppy coders, and document that the preferences *must not* be escaped before saving, and *must* be unescaped after reading if you want to use them outside of HTML. This wouldn't be pretty (in fact, it would be pretty damn ugly), but it would do the job, allowing us to just turn setting of arbitrary preferences back on again and dealing with most security concerns (as those preferences cannot conceivably be used in SQL commands, and the impact of unsanitized use in URLs seems very low to me). Can gadgets use this anywhere else where it should be sanitised? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
