https://bugzilla.wikimedia.org/show_bug.cgi?id=63445
--- Comment #1 from Chris Steipp <[email protected]> --- Let me know when you have code ready. Also, please follow my suggestion about policy here https://www.mediawiki.org/wiki/Requests_for_comment/HTML_templating_library#Security, and make sure the team has a policy that, * If substitutions are used in html attributes, those attributes must be quoted with double quotes. * Make sure any SafeString objects have their escaping as close to the creation of the SafeString as possible, and that should be as close to the output as possible. It would be really helpful if I don't have to trace back more than 1 (or at most 2) function calls to see the escaping. What is the timeline around this? -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
