2009/8/15 Michael Dale <[email protected]>: > I don't see this as posing security risk as its just a mime type > interpretation issue the normal cross site ajax restrictions are still > in place. (ie you cant do an cross site iframe and view the result of > the output) > No, but you can trick the user into going to:
http://en.wikipedia.org/w/api.php?action=expandtemplates&format=json&text=<script>alert('Whee!');</script> Which when visited in IE with text/plain will result in the execution of the JS fragment. We work around this in other formatters by using text/text , could you test if that works for you too? Roan Kattouw (Catrope) _______________________________________________ Mediawiki-api mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
