[MediaWiki-CodeReview] [MediaWiki r99802]: New comment added

Mon, 31 Oct 2011 13:40:48 -0700 

User "Pgehres (WMF)" posted a comment on MediaWiki.r99802.

Full URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/99802#c25218
Commit summary:

Intial commit of Extension:FundraiserLandingPage

Comment:

>From #wikimedia-dev, 2011/10/20

[01:12am] pgehres: TimStarling: if you'd like to chat about the extension more 
synchronously, I'm around
[01:12am] TimStarling: pgehres: I think running the parameters through a 
restrictive regex would prevent security issues
[01:13am] TimStarling: but it would limit what you can do with the extension
[01:13am] TimStarling: if you tried to put text in there for display, it 
wouldn't be long before you started missing your punctuation
[01:13am] pgehres: TimStarling: yes, but I think we will generally be loading 
other templates for the appeal text since it will need to be localized
[01:14am] pgehres: I am willing to sacrifice some flexible for security
[01:14am] TimStarling: if you just made 400 pages, and didn't use the extension 
at all, it would be pretty secure
[01:15am] pgehres: That is definitely true, but we would need to make many 
times that many
[01:15am] pgehres: Its about 400 per appeal
[01:15am] TimStarling: fair enough
[01:16am] TimStarling: obviously page creation can be automated, but that won't 
make sense as a solution above a few thousand pages
[01:18am] pgehres: we did think about bots as well, but we are already passing 
country and language in the query string and it seemed more natural to do this 
and do even more switches in wiki-markup (as well as less fragile during the 
fundraiser)
[01:19am] pgehres: I will go ahead and implement the regex if you think that's 
a reasonable solution
[01:20am] TimStarling: yes, I think it will work, barring some really unlikely 
template constructions
[01:20am] pgehres: okay, thank you very much for looking at this
[01:20am] TimStarling: <script>eval(base64_decode('{{{value}}}')); </script>

_______________________________________________
MediaWiki-CodeReview mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview

Reply via email to