On 05/27/2014 09:11 PM, John wrote:
How would this work for non-wmf wikis?
It could be configurable, and default to only allowing content under the
image upload path on the local wiki (if it's enabled at all).
what about executing JavaScript that is posted to a
approved wiki? This would make XSS and a whole host of other
problems a lot easier to do. So we whitelist
commons.wikimedia.org whats
stopping a user from making a user subpage with some JS code that executes
something arbitrary?
I specifically said
bits.wikimedia.org and
upload.wikimedia.org (and not
commons.wikimedia.org), neither of which host user JavaScript.
Matt Flaschen