https://bugzilla.wikimedia.org/show_bug.cgi?id=40124
--- Comment #12 from Chris Steipp <[email protected]> 2012-12-03 19:39:03 UTC --- I like the prefix suggestion from Brad. I think it's a useful tool for user-script authors to have a place to store the prefs, and the prefix makes sure that they don't accidentally start overwriting something important. And that's really where we have to be careful, is when MediaWiki (or a popular gadget) is using a preference with some amount of escaping (or not escaping), and javascript is free to set it to arbitrary values. I think refusing to save the characters <>&'"/ might be a good compromise. If a script author really wants to save html in a preference, they can base64 encode the value, and decode it when they use it, with the full knowledge that an attacker may have also set that value to a base64 encode version of their hostile html so they need to validate whatever they set when they show it back. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
