On Thu, Mar 26, 2009 at 9:15 PM, Ilmari Karonen <nos...@vyznev.net> wrote: > Hmm, you're right, it does -- I didn't realize the title was used > unescaped. That looks uncomfortably close to an XSS vulnerability > anyway. I'd feel a lot more comfortable with a htmlspecialchars() in > there. (Didn't we use to allow "<" in titles not so very long ago? > Certainly the feature that disallows HTML entities in titles is fairly > recent.)
I'm pretty sure we haven't allowed < in titles for a long time. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l