https://bugzilla.wikimedia.org/show_bug.cgi?id=40124
--- Comment #31 from Bartosz DziewoĆski <[email protected]> --- > I've seen XSS thrown around, but I'm not sure how user option keys are viable XSS vectors. They aren't. They could be if you could use a GET request to set the preferences, or if the options API didn't require the token, *and* if the scripts themselves didn't sanitize the options' values since they are user input, but you can't and it does and they should. Apart from this, if you are able to set user prefs, you've already got a script running on somebody's browser, which is what XSS is. The entire user script and gadget system could be considered one huge gaping security hole, but I don't hear about anybody wanting to scrape that. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
