On Tue, Jan 22, 2013 at 3:53 AM, Daniel Friesen
<dan...@nadir-seen-fire.com> wrote:
> On Mon, 21 Jan 2013 21:50:32 -0800, Alex Brollo <alex.bro...@gmail.com>
> wrote:
>
>> I tried to build a template which wraps template parameters into data-
>> attributes. First results have been incouraging, then I find something
>> logical but unexpected, crushing the whole idea.
>>
>>
>> I wrote into the code of an infobox-like template something like this:
>>
>> <span data-author="{{{author}}}"
>> data-birthdate="{{{birthDate}}}"....></span>
>>
>> and I very happily see that html code had my data wrapped into such span
>> tags.
>>
>> But.... I was testing my code with clean templates, t.i.: templates which
>> have no wikicode into parameter values (as usually occurs into
>> it.wikisource). As soon as I tested my idea into another project (Commons)
>> I found that any wikicode (template call, parameter, link....) present
>> into
>> the value of infobox parameter breaks the stuff, since it is parsed and
>> expanded by parser with unpredictable results.
>>
>> So... I ask you again: is there any sound reason (i.e. safety related,or
>> server loading related ) reason to avoid that HTML comments, wrapped into
>> raw page wikicode are sent back into html rendering as-they-are?
>>
>> Alex brollo
>
>
> Yes.
>
> Thanks to IE, even comments can actually be treated as raw html and end up
> executing scripts opening up XSS holes in the wiki.
Seconded. There is really no safe way to allow comments through.
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
