On 05/27/2014 09:11 PM, John wrote:
How would this work for non-wmf wikis?
It could be configurable, and default to only allowing content under the image upload path on the local wiki (if it's enabled at all).
what about executing JavaScript that is posted to a approved wiki? This would make XSS and a whole host of other problems a lot easier to do. So we whitelist commons.wikimedia.org whats stopping a user from making a user subpage with some JS code that executes something arbitrary?
I specifically said bits.wikimedia.org and upload.wikimedia.org (and not commons.wikimedia.org), neither of which host user JavaScript.
Matt Flaschen