2009/8/15 Michael Dale <mdale(a)wikimedia.org>rg>:
I don't see this as posing security risk as its
just a mime type
interpretation issue the normal cross site ajax restrictions are still
in place. (ie you cant do an cross site iframe and view the result of
the output)
No, but you can trick the user into going to:
http://en.wikipedia.org/w/api.php?action=expandtemplates&format=json&am…
Which when visited in IE with text/plain will result in the execution
of the JS fragment. We work around this in other formatters by using
text/text , could you test if that works for you too?
Roan Kattouw (Catrope)