https://bugzilla.wikimedia.org/show_bug.cgi?id=31830
--- Comment #1 from Jeroen De Dauw <[email protected]> 2011-10-19 21:39:13 UTC --- I already pointed this out on the list, but you can't simply turn off escaping. It's there for security reasons, not to prevent people from adding markeup. What if someone enters this? <script>alert('xss');</script> It'll just be executed by the browser. See this for more info: https://en.wikipedia.org/wiki/Cross-site_scripting Other then that it looks ok. One minor thing though: it's better to use setMessage( 'foo' ) then setDescription( wfMsg( 'foo' ) ), as it allows handling code to get the message in languages other then the one of the user executing the code. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
