Jdlrobson added subscribers: Tgr, Jdlrobson. Jdlrobson reopened this task as "Open". Jdlrobson added a comment.
Have you verified this works? As @tgr points out: "... at a glance this seems wrong: an URL should not have spaces; it should be percent-encoded which turns spaces into %20. Not percent-encoding URLs is probably an XSS vector. an attribute that is not surrounded by quotes is also typically an XSS vector (especially if the parameter is not URL-encoded). The patch fixes the href but does not fix the src. You should probably review your code for other instances of these errors." Can you give an example of a page which had this issue so I can inspect what's happening? TASK DETAIL https://phabricator.wikimedia.org/T106321 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Jdlrobson Cc: Jdlrobson, Tgr, gerritbot, Sumit, Aklapper, Wikidata-bugs, Lydia_Pintscher, Malyacko, P.Copp _______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs