https://bugzilla.wikimedia.org/show_bug.cgi?id=40124
--- Comment #17 from Krinkle <[email protected]> 2012-12-03 21:05:38 UTC --- (In reply to comment #12) > I think refusing to save the characters <>&'"/ might be a good compromise. (In reply to comment #15) > (In reply to comment #13) > > Ugh, to me the idea with removing the characters altogether doesn't sound > > good. > > You misunderstood. The proposal isn't to remove the characters, it's to return > a warning or error and not save the submitted value at all if the characters > are included. > Why escape them? The values are exported to javascript as an object literal. The values them selves are javascript-escaped by the JSON encoder, which is then embedded in a script tag (which makes it HTML encoded safe). What kind of attack are we preventing by restricting the value? It can be any string, right? Also: * Escape them how, when and where? * Escape them for what? HTML? JavaScript? CSS? URL? (In reply to comment #12) > [script] really wants to save html in a preference, they can base64 encode > the value, and decode it when they use it > > JavaScript doesn't even have Base64 encoding functions. > jQuery doesn't have base64 built in? Disappointing. base64 seems pointless per the previous paragraph. As for jQuery, jQuery is a library for abstracting DOM and Ajax interaction. It isn't an arbitrary collection of utilities (the few utilities it has are mostly undocumented for internal usage, not public APIs). Something like base64 encoding would never be a public API in jQuery. Completely out of its scope. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
