kelvSYC wrote:
First of all, I hope that you can forward it off to
wikitech, but it
seems that a malicious user at Wikibooks used their user JS to do some
page move vandalism (see [[b:en:User:Vandel Damon/monobook.js]] for the
JS in question). It's not much of a security loophole as it is
undesirable for the wiki community, seeing that a lot of people would
have to undo a lot of page moves.
If there was some way in the back end to prevent this, it would be
appreciated.
There's nothing malicious you can do from *your own* user javascript
that you can't do from a different form of client-side script or bot.
In interactions between the server and a client, JavaScript is exactly
equivalent to user-performed actions and non-browser bots.
Even if we tried to place restrictions on user JavaScript or disable it
entirely, there is no way to protect against that distinct from general
restrictions on submissions from some user. The malicious user could
trivially substitute JavaScript that comes from their local machine or
another source, a modifying proxy to insert it, or use a different
client-side tool to perform equivalent processing.
-- brion vibber (brion @
pobox.com)