Daniel Kinzler wrote: > David Gerard schrieb: > >> 2009/6/4 Gregory Maxwell <[email protected]>: >> >> >>> Restrict site-wide JS and raw HTML injection to a smaller subset of >>> users who have been specifically schooled in these issues. >>> >> Is it feasible to allow admins to use raw HTML as appropriate but not >> raw JS? Being able to fix MediaWiki: space messages with raw HTML is >> way too useful on the occasions where it's useful. >> >> > > Possible yes, sensible no. Because if you can edit raw html, you can inject > javascript. > > -- daniel > > Not if you sanitize the HTML after the fact: just cleaning out <script> tags and elements from the HTML stream should do the job.
After this has been done to the user-generated content, the desired locked-down script code can then be inserted at the final stages of page generation. -- Neil _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
