https://bugzilla.wikimedia.org/show_bug.cgi?id=68372
--- Comment #19 from Tisza Gergő <[email protected]> --- (In reply to Bawolff (Brian Wolff) from comment #18) > What sort of injection vulnerabilities do you mean ( < and > are disallowed > in titles. Things should be escaped before injecting into html anyways). Quotes are allowed and can be used to break out from HTML attributes. The goal of having a custom URL in the first place is that people can copy-paste it, so escaping would be up to the reuser. People don't escape URLs they paste into blog posts. > I doubt RTL characters would cause major problems. The annoying characters > (bidi override, rtl mark, etc) are banned from file names anyways. Here is an example: https://he.wikipedia.org/wiki/קובץ:תוכנית הפדרציה.png Press "reply" and try to interact with it in the edit box (like deleting some character, adding ASCII characters). Not a major problem but an annoyance. Plus, tofu in the editbox for more exotic scripts. Autolinking is a bigger concern though. MediaWiki (and Gmail, Facebook, pretty much anything else) tends to end links characters like ")" which are pretty frequent in file names. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
