On Wed, May 16, 2012 at 7:32 PM, Terry Chay <[email protected]> wrote: > I thought http://www.mediawiki.org/wiki/Manual:Edit_token protects against > this as it is required for an edit: http://www.mediawiki.org/wiki/API:Edit > Not if you can read the data using the Object/Array constructor hacks you described. The potential for data leakage includes token leakage, and once you get the API to leak a token you can create a hidden form on the page that POSTs all the right data (including the token) to the action=edit API and call .submit() on the form.
Roan _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
