https://bugzilla.wikimedia.org/show_bug.cgi?id=48772
C. Scott Ananian <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] Assignee|[email protected] |[email protected] --- Comment #1 from C. Scott Ananian <[email protected]> --- There are three interconnected issues: 1) <span prefix="mw: http://evil.bad";> is valid wikitext, which would create malformed Parsoid DOM. We should sanitize the wikitext (but that has to happen *before* we create the DOM, since otherwise we can't tell which prefix attributes are good and which are evil.) 2) VE needs to prevent users from authoring content which sets prefix attributes, etc. Currently it does so, but it would be nice to make Parsoid more robust against malformed DOM, and/or to add layers of protection so that front ends aren't solely responsible for sanitizing user input. 3) Longer term we should probably think about use cases where the user wants to deliberately author RDFa markup on their content, and ensure that they are able to do so in a safe way. This bug is primarily about #1 (the short term issue) and I'll tackle it tomorrow. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
