https://bugzilla.wikimedia.org/show_bug.cgi?id=19528
--- Comment #5 from Tisza Gergő <gti...@gmail.com> 2009-07-11 09:13:40 UTC --- (In reply to comment #4) > And what if someone points to a malicious XSLT? E.g. > api.php?action=query&xslt=http://malicious.site/steal-cookies.xslt As I said in the summary, XSLT files should be restricted to the MediaWiki namespace: for example, api.php?action=query&xslt=foo could be translated to <?xml-stylesheet href="http://wiki.domain/wiki/MediaWiki:XSLT-foo.xsl"; type="text/xsl" ?>. Anyone with malicious intent and write access to the MW namespace can already pull far worse tricks. > Also, this is API. *Application* programming interface. It's not intended to > format a user-readable output. I suggest WONTFIX. And it would not format a user-readable output; it would format the exact same output with an XSLT header added. One could argue that the application is the browser in this case, were not arguments about the semantics of the A in API utterly pointless. Are there any actual drawbacks in allowing administrators to create user-readable formats of queries (with links to the relevant tools etc.) in a template-like format instead of a procedural language (JavaScript) which is much less convenient for this task? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
