Currently, while {{urlencod}}ing, content in strip markers is skipped. I believe this violates the expectation that the entire output will be properly escaped to be placed in a sensitive context.
An example is in the infobox book caption on, https://en.wikipedia.org/wiki/%22F%22_Is_for_Fugitive There’s a brief discussions of the security implications of some proposed solutions in the review of, https://gerrit.wikimedia.org/r/#/c/181519/ It seems best (I guess) to just drop the content (`killMarkers()`). Any opinions or better ideas? Thanks, Arlo _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l