"NeilK" posted a comment on MediaWiki.r110045. URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/110045#c30056
Commit summary for MediaWiki.r110045: sanitize outgoing messages NeilK's comment: Trying to be extra careful with what we emit. While translations have never been a source of XSS before, we should close the hole before it's exploited. I tested this change on the most complicated ResourceLoader page I know of (UploadWizard) and the only differences were all legitimate XSS problems. n.b. Sanitizer::removeHTMLtags does not actually remove tags. It really just ensures that some good tags like <b> are balanced, and that evil tags like <script> are escaped with HTML entities, and catches various other XSS issues. _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
