User "Dantman" posted a comment on MediaWiki.r58714. Full URL: https://secure.wikimedia.org/wikipedia/mediawiki/wiki/Special:Code/MediaWiki/58714#c20745 Commit summary:
better pattern for detecting evil scripts in rdfa attributes Comment: Blacklisting bad urls is completely inadequate for actual security. There are numerous ways to bypass that kind of blacklisting and embed a javascript: url. http://ha.ckers.org/xss.html If its used out of pure paranoia and not actually part of security then that definition better come with a big fat warning that it should never be used to blacklist in areas where security actually matters. _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
