--- Comment #4 from Chris Steipp <cste...@wikimedia.org> ---
(In reply to Prateek Saxena from comment #3)
> (In reply to Chris Steipp from comment #2)
> > I'm mostly concerned about the $contentbox portion, since that is generated
> > from user content.
> We are using .text() when placing the extract in the Popup. Are there any
> other measures that need to be taken? The other elements are being created
> in jQuery (how the code convention link explains)
No, .text() doesn't stop several attacks. For example:
$i = $( "<div>asdf<script>alert(1)</script></div>" );
$o = $( "<div/>" );
$o.html( $i.text() );
You may be able to santize it with mw.html.escape, but I'm not entirely sure
what markup you're trying to pass through.
> > Yes, this part is fine.
> > Is there a working version of this in labs somewhere that I can test with?
> > Or can you list out what dependencies this has? I'm not able to get it
> > working locally.
> There is a test instance where the latest code lives. A couple of people
> have had the same issue and I am not sure what is wrong. I'll talk to Yuvi
> and resolve this. Are you using the vagrant role (popups) to set it up?
As soon as I install it, ResourceLoader complains that it can't find the class
ResourceLoaderSchemaModule. I'm not sure if that's a typo, or if you're pulling
that in from another extension.
>  http://chicken.wmflabs.org/wiki/TestNavPopUps
You are receiving this mail because:
You are on the CC list for the bug.
Wikibugs-l mailing list