Chris & Brad, thanks for your feedback.
However, correct me if I'm wrong, but I think there is no risk in my
extension as i'm spitting a bittorrent response, which is mime-type
'text/html' but is actually just plain 'text'. So it isn't to be
interpreted as html, neither could user input be returned at all...
On 02.01.2013 14:45, Chris Steipp wrote:
On Mon, Dec 31, 2012 at 7:49 AM, Brad Jorsch
<bjorsch(a)wikimedia.org>
wrote:
On Fri, Dec 28, 2012 at 3:26 PM,
<webmaster(a)numerica.cl> wrote:
Exactly, I would need it to return just plain
text/html for an
other program
to interpret it, so having it inside an array is problematic.
Sounds too difficult?
Be careful you don't introduce security holes when doing this.
https://www.mediawiki.org/wiki/Cross-site_scripting might be a good
read.
Yes please. Whatever the output, you want to make sure it's not
interpreted as html, otherwise a <script> tag in the text will
execute
javascript if it's loaded in an iframe, or one of your users is
redirected to the api's output somehow. Obviously, if this is just
for
your own wiki, you can decide if that's a threat or not. If you want
to merge it into core, then you will need to do a lot of filtering on
the output.
_______________________________________________
Mediawiki-api mailing list
Mediawiki-api(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api