On Tue, Aug 12, 2008 at 7:54 PM, Chad innocentkiller@gmail.com wrote:
I moreso mean that until it's identified as being a major vulnerability, is taking a major hit to performance an acceptable hit to take?
1) I'm pretty sure it's already identified as a major vulnerability (assuming you consider XSS major).
2) I don't think allowing the vulnerability is on the table, at least not for Wikimedia. The slowdown would be for those who wanted to accept ZIP files, not for those who wanted to avoid the vulnerability -- the vulnerability is avoided regardless. (Unless you hack around and remove the blacklisting of application/zip, admittedly, which some will inevitably do, but then it's their decision as to acceptability of whatever, not ours.)