On Tue, Jan 22, 2013 at 3:53 AM, Daniel Friesen <dan...@nadir-seen-fire.com> wrote: > On Mon, 21 Jan 2013 21:50:32 -0800, Alex Brollo <alex.bro...@gmail.com> > wrote: > >> I tried to build a template which wraps template parameters into data- >> attributes. First results have been incouraging, then I find something >> logical but unexpected, crushing the whole idea. >> >> >> I wrote into the code of an infobox-like template something like this: >> >> <span data-author="{{{author}}}" >> data-birthdate="{{{birthDate}}}"....></span> >> >> and I very happily see that html code had my data wrapped into such span >> tags. >> >> But.... I was testing my code with clean templates, t.i.: templates which >> have no wikicode into parameter values (as usually occurs into >> it.wikisource). As soon as I tested my idea into another project (Commons) >> I found that any wikicode (template call, parameter, link....) present >> into >> the value of infobox parameter breaks the stuff, since it is parsed and >> expanded by parser with unpredictable results. >> >> So... I ask you again: is there any sound reason (i.e. safety related,or >> server loading related ) reason to avoid that HTML comments, wrapped into >> raw page wikicode are sent back into html rendering as-they-are? >> >> Alex brollo > > > Yes. > > Thanks to IE, even comments can actually be treated as raw html and end up > executing scripts opening up XSS holes in the wiki.
Seconded. There is really no safe way to allow comments through. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l