https://bugzilla.wikimedia.org/show_bug.cgi?id=63445

--- Comment #1 from Chris Steipp <cste...@wikimedia.org> ---
Let me know when you have code ready.

Also, please follow my suggestion about policy here
https://www.mediawiki.org/wiki/Requests_for_comment/HTML_templating_library#Security,
and make sure the team has a policy that,

* If substitutions are used in html attributes, those attributes must be quoted
with double quotes.
* Make sure any SafeString objects have their escaping as close to the creation
of the SafeString as possible, and that should be as close to the output as
possible. It would be really helpful if I don't have to trace back more than 1
(or at most 2) function calls to see the escaping.

What is the timeline around this?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to