User "Pgehres (WMF)" posted a comment on MediaWiki.r99802. Full URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/99802#c25216 Commit summary:
Intial commit of Extension:FundraiserLandingPage Comment: I definitely agree that there is a potential for XSS with this. We had previously decided to just be careful with this and escape the parameters before use as well as not use them in a potentially unsafe way. Do you think that running the parameters through a [a-zA-Z0-9_-]+ regex would eliminate most, if not all, of the potential for XSS? _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
