At one point they were briefly enabled in dev trunk and immediately disabled for safety. :) never been enabled in production.
-- brion vibber (brion @ wikimedia.org) On Mar 26, 2009, at 18:30, Aryeh Gregor <Simetrical [email protected]> wrote: > On Thu, Mar 26, 2009 at 9:15 PM, Ilmari Karonen <[email protected]> > wrote: >> Hmm, you're right, it does -- I didn't realize the title was used >> unescaped. That looks uncomfortably close to an XSS vulnerability >> anyway. I'd feel a lot more comfortable with a htmlspecialchars() in >> there. (Didn't we use to allow "<" in titles not so very long ago? >> Certainly the feature that disallows HTML entities in titles is >> fairly >> recent.) > > I'm pretty sure we haven't allowed < in titles for a long time. > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
