User "Pgehres (WMF)" posted a comment on MediaWiki.r99802.
Full URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/99802#c25218
Commit summary:
Intial commit of Extension:FundraiserLandingPage
Comment:
>From #wikimedia-dev, 2011/10/20
[01:12am] pgehres: TimStarling: if you'd like to chat about the extension more
synchronously, I'm around
[01:12am] TimStarling: pgehres: I think running the parameters through a
restrictive regex would prevent security issues
[01:13am] TimStarling: but it would limit what you can do with the extension
[01:13am] TimStarling: if you tried to put text in there for display, it
wouldn't be long before you started missing your punctuation
[01:13am] pgehres: TimStarling: yes, but I think we will generally be loading
other templates for the appeal text since it will need to be localized
[01:14am] pgehres: I am willing to sacrifice some flexible for security
[01:14am] TimStarling: if you just made 400 pages, and didn't use the extension
at all, it would be pretty secure
[01:15am] pgehres: That is definitely true, but we would need to make many
times that many
[01:15am] pgehres: Its about 400 per appeal
[01:15am] TimStarling: fair enough
[01:16am] TimStarling: obviously page creation can be automated, but that won't
make sense as a solution above a few thousand pages
[01:18am] pgehres: we did think about bots as well, but we are already passing
country and language in the query string and it seemed more natural to do this
and do even more switches in wiki-markup (as well as less fragile during the
fundraiser)
[01:19am] pgehres: I will go ahead and implement the regex if you think that's
a reasonable solution
[01:20am] TimStarling: yes, I think it will work, barring some really unlikely
template constructions
[01:20am] pgehres: okay, thank you very much for looking at this
[01:20am] TimStarling: <script>eval(base64_decode('{{{value}}}')); </script>
_______________________________________________
MediaWiki-CodeReview mailing list
mediawiki-coderev...@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
