Brion Vibber wrote: > On Mar 26, 2009, at 18:30, Aryeh Gregor <Simetrical > [email protected]> wrote: >> On Thu, Mar 26, 2009 at 9:15 PM, Ilmari Karonen <[email protected]> >> wrote: >>> Hmm, you're right, it does -- I didn't realize the title was used >>> unescaped. That looks uncomfortably close to an XSS vulnerability >>> anyway. I'd feel a lot more comfortable with a htmlspecialchars() in >>> there. (Didn't we use to allow "<" in titles not so very long ago? >>> Certainly the feature that disallows HTML entities in titles is >>> fairly recent.) >> >> I'm pretty sure we haven't allowed < in titles for a long time. >> > At one point they were briefly enabled in dev trunk and immediately > disabled for safety. :) never been enabled in production.
Anyway, I just committed r48922. Whatever else re-enabling "<" in titles might break, category listings should now be safe. :) -- Ilmari Karonen _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
