"Raindrift" posted a comment on MediaWiki.r111125. URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/111125#c30673
Commit summary for MediaWiki.r111125: jquery.localize(): Allow "raw" parameter to disable escaping. Raindrift's comment: Andrew and I discussed how this creates a possible XSS vector, wherein the message is replaced with a malicious one through the MediaWiki namespace. However, it seems we've collectively decided to trust the MW namespace, so that makes this okay. _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
