https://bugzilla.wikimedia.org/show_bug.cgi?id=40124
--- Comment #13 from Bartosz DziewoĆski <[email protected]> 2012-12-03 19:47:47 UTC --- Ugh, to me the idea with removing the characters altogether doesn't sound good. If they are megically escaped, you can at least figure out what happens; if they magically disappear, the only thing you have left is to dig thru a mountain of not-exactly-the-best docs. JavaScript doesn't even have Base64 encoding functions. (Yes, some browsers provide window.btoa / window.atob, but it's a non-standard extension.) Unless we have them as a RL module (which we don't as far as I know), this is going to encourage some ugly half-assed reimplementations and homemade escaping solutions. Or, really, we could just allow getting and setting them without obstacles like that. It's not like you can't do anything to a user anyway if you can inject some JavaScript into his environment; the security implications of non-sanitised preferences which would be used *only* in other JavaScript code seem extremely minuscule to me, compared to the huge vulnerability ;) that user-scripts and gadgets are. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
