User "Awjrichards" posted a comment on Wikimedia.r205. Full URL: http://www.mediawiki.org/wiki/Special:Code/Wikimedia/205#c18900 Commit summary:
moving the contents of http://svn.wikimedia.org/viewvc/mediawiki/trunk/fundraiser-statistics/fundraiser-scripts/ for fundraiser analytics and reporting to the wikimedia repository Comment: This is also true with: /trunk/fundraiser-analysis/web_reporting/settings.py In /trunk/fundraiser-analysis/web_reporting/manage.py line 5 you have: <code> sys.path.append('/home/rfaulkner/trunk/projects/') </code> It's probably better to not have hardcoded local paths - as wherever this code gets checked probably won't have that path in existence and/or it may not contain what you expect :p You have two separate copies of jquery in the same django project - this is probably not good practice. In /trunk/fundraiser-analysis/web_reporting/tests/views.py (add_comment() and test() in particular), you are taking user input and performing various actions (eg database queries and redisplaying/rendering user input back to the user) without sanitizing the values. This opens a number of vulnerabilities (XSS and SQL injection, primarily). See http://www.mediawiki.org/wiki/Security_for_developers for more info. I imagine Django provides some nifty way to sanitize user input. Gotta run to a mtg, will ad more later. _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
