2009/8/15 Michael Dale mdale@wikimedia.org:
I don't see this as posing security risk as its just a mime type interpretation issue the normal cross site ajax restrictions are still in place. (ie you cant do an cross site iframe and view the result of the output)
No, but you can trick the user into going to:
http://en.wikipedia.org/w/api.php?action=expandtemplates&format=json&...<script>alert('Whee!');</script>
Which when visited in IE with text/plain will result in the execution of the JS fragment. We work around this in other formatters by using text/text , could you test if that works for you too?
Roan Kattouw (Catrope)