https://bugzilla.wikimedia.org/show_bug.cgi?id=40124
Brad Jorsch <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #9 from Brad Jorsch <[email protected]> 2012-12-03 17:46:09 UTC --- Restricting setting of potential MediaWiki options does make sense. The question is whether we want to worry about the case where someone sets an option in version X and then MediaWiki starts using that option for version X+1. There's also the case to consider that we might want to continue having Special:Preferences remove obsolete options. Both of these could be solved by only enabling setting of arbitrary preferences for some prefix (e.g. "ujs-"). As for protecting user script authors from themselves, automatically escaping things would IMO be entirely the wrong choice for the same reason PHP's "magic quotes" was such a bad idea: sometimes things don't get unescaped when they should have, and thanks to that sometimes they wind up being stored double-escaped, and sometimes they do get unescaped when they shouldn't be because people are so used to having to unescape everything. If we do anything, we should just reject entirely whichever characters you might consider escaping. I suppose preventing storage of '<', '>', '"', and "'" in these arbitrary preferences *would* help stop what would probably be the most common kinds of carelessness leading to XSS. But I doubt we can blacklist enough to really prevent everything, and we certainly can't prevent someone from base64-decoding a preference value and then using it in an unsafe manner, so there's a point at which we just have to rely on user script authors to not be stupid. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
