https://bugzilla.wikimedia.org/show_bug.cgi?id=11106
Krinkle <krinklem...@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |krinklem...@gmail.com --- Comment #7 from Krinkle <krinklem...@gmail.com> --- I'm not sure I see how making this entire thing a configuration variable is a good thing. Security should not be configurable. Another big reason why url() is forbidden is to avoid cross-domain requests being made from a wiki page (especially with regards to CSRF, DDOS, traffic sniffing, privacy policy etc.). When additional security issues are found and added to MediaWiki, existing installs that customised this filter for some silly feature, will no longer be using adequate security measures. I recommend this feature be reverted and we figure out a way to enable this other use of url() in a sane way. Whether we want that way to be allowed always or behind an opt-in flag is a separate question, but I don't think there is valid use case for making the entire thing configurable. That only complicates maintenance, security updates, and overall mobility of wikitext between sites. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l