That already happened and the user got blocked indefinitely immediately after the incident. The JS was there for seven minutes which bad enough IMO.
One thing is that Persian Wikipedia community is working to strip the right of editing mediawiki ns from the templateeditor user group: https://fa.wikipedia.org/w/index.php?oldid=22370489#%D9%86%D8%B8%D8%B1%D8%AE%D9%88%D8%A7%D9%87%DB%8C_%D8%A8%D8%B1%D8%A7%DB%8C_%DA%AF%D8%B1%D9%81%D8%AA%D9%86_%D8%AF%D8%B3%D8%AA%D8%B1%D8%B3%DB%8C_%D9%88%DB%8C%D8%B1%D8%A7%DB%8C%D8%B4_%D9%81%D8%B6%D8%A7%DB%8C_%D9%86%D8%A7%D9%85_%D9%85%D8%AF%DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C_%D8%A7%D8%B2_%D9%88%DB%8C%D8%B1%D8%A7%DB%8C%D8%B4%DA%AF%D8%B1%D8%A7%D9%86_%D8%A7%D9%84%DA%AF%D9%88 Other things include protecting us from this type of js inside the mediawiki. That's going to be difficult. Best On Wed, Mar 14, 2018 at 4:59 PM Derk-Jan Hartman < d.j.hartman+wmf...@gmail.com> wrote: > In my opinion, such accounts should be globally blocked btw. It is a > grave breach of trust and such accounts cannot be trusted anywhere > else either. Thanks for playing, but goodbye for ever. > > DJ > > On Wed, Mar 14, 2018 at 3:42 PM, Brian Wolff <bawo...@gmail.com> wrote: > > On Wednesday, March 14, 2018, David Gerard <dger...@gmail.com> wrote: > >> What ways are there to include user-edited JavaScript in a wiki page? > >> > >> I ask because someone put this revision in (which is now deleted): > >> > >> > > > https://fa.wikipedia.org/w/index.php?title=%D9%85%D8%AF%DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C:Common.js&diff=next&oldid=22367460&uselang=en > >> > >> You can't see it now, but it was someone including a JavaScript > >> cryptocurrency miner in common.js! > >> > >> Obviously this is not going to be a common thing, and common.js is > >> closely watched. (The above edit was reverted in 7 minutes, and the > >> user banned.) > >> > >> But what are the ways to get user-edited JavaScript running on a > >> MediaWiki, outside one's own personal usage? And what permissions are > >> needed? I ask with threats like this in mind. > >> > >> > >> - d. > >> > >> _______________________________________________ > >> Wikitech-l mailing list > >> Wikitech-l@lists.wikimedia.org > >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > > You need editinterface, edituserjs, or some of the centralnotice related > > rights (or the steward related rights to give yourself these rights). > > > > Any method that does not involve editinterface or a related right that is > > normally restricted to administrator (or higher group) should be > considered > > a serious security issue in mediawiki and reported immediately. > > > > -- > > Brian Wolff > > _______________________________________________ > > Wikitech-l mailing list > > Wikitech-l@lists.wikimedia.org > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
