On Wed, Mar 14, 2018 at 9:14 AM, Jon Robson jdlrobson@gmail.com wrote:
It has always made me a little uneasy that there are wiki pages where JavaScript could potentially be injected into my page without my approval. To be honest if I had the option I would disable all site and user scripts for my account.
It's not particularly hard to with a browser extension, you just need to edit ResourceLoader (load.php) URLs and remove the 'user', 'site', 'ext.gadget.*' modules.
Has this sort of thing happened before?
Outside Wikimedia, plenty. http://www.bbc.com/news/technology-43025788 was one of the more high-profile examples.
On Wikimedia wikis, well-intentioned but misguided uses of external scripts are not uncommon (back when I was a fairly new admin on the Hungarian Wikipedia, we included an AWStats counter in the page footer under an, uh, fairly liberal interpretation of the terms of use... the developers were not amused). As far as I am aware there was no malicious one.