https://bugzilla.wikimedia.org/show_bug.cgi?id=31830
--- Comment #2 from Van de Bugger <[email protected]> 2011-10-19 21:45:14 UTC --- Content of message is passed trough MediwKiki parser, so: 1. Unsafe HTML element will not be recognized (but escaped instead): {{ #info: <a href="…">link</a> | escape = no }} produces literal "<a href="…">link</a>". 2. Unsafe attributes causes warnings: {{ #info: <span style="…">link</span> | escape = no }} produces "Error: style is not allowed" (wording is not exact (translated back to English from another language)). In particular, {{ #info: <script>alert('xss');</script> | escape = no }} produces nothing more than just "<script>alert('xss');</script>". Literally. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
