https://bugzilla.wikimedia.org/show_bug.cgi?id=24199
Jan Schejbal <jan-bugrep...@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|Low |Normal CC| |jan-bugrep...@gmx.de Severity|enhancement |critical --- Comment #8 from Jan Schejbal <jan-bugrep...@gmx.de> 2012-08-08 00:34:12 UTC --- I was able to perform XSS on revision 72454 and have no reason to believe this wouldn't work with current versions. I do not want to publicly disclose the exploit. That $wgRawHtml hack really needs to go away. Setting such a global variable and never changing it back (!) sounds like a great way to cause nasty security issues everywhere. I have set severity=critical, priority=normal, please correct it if that was wrong. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l