User "^demon" posted a comment on MediaWiki.r94462. Full URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/94462#c20767 Commit summary:
This Sanitizer::EVIL_URI_PATTERN is completely inadequate for actual security as there are numerious ways to bypass blacklisting. Since it's only used right now for paranoia in cases you currently can't actually exploit a browser we let it slide. However this thing needs a big fat warning message next to it to avoid someone thinking this is actually a good idea for security and ending up later on using it and opening up an XSS hole in core. Comment: Since nothing outside this class uses it, how about making it a private static rather than a const so nobody is tempted ;-) _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
