On Sat, Dec 29, 2012 at 6:59 PM, Platonides <platoni...@gmail.com> wrote: >> Is there any sound reason to strip html comments away? If there is no sound >> reason, could such a stripping be avoided?
Comments can sometimes be used to get XSS in unexpected ways (like conditional comments for IE). I think they're stripped because that was easier then writing a sanitizer for them, and they're pretty useless. If all else fails, you can do the hacky thing of stuffing information into either a class attribute or title attribute of an element. (data even better, but I don't know if that's allowed in wikitext or not) --bawolff _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
