On Oct 24, 2004, at 7:01 AM, Petr Kadlec wrote:
AFAICS this means that no HTML entities may occur in
the blockiptext
message (as every & gets converted to &). Is there any reason for
that? Why not drop the htmlspecialchars() out? Is there any generic
rule when it is used and when not? (I mean, some other special pages
seem to use addHTML( wfMsg( ... ) ) etc.)
Raw HTML is dangerous for several reasons, chiefly these two:
* If a message does not contain 100% valid HTML, pages using it would
become completely inaccessible in strict XHTML output mode. An
accidental change by a sysop to a critical messages could make the
ENTIRE WIKI inaccessible to everyone until someone with direct database
access came in to fix it.
* HTML can contain JavaScript; a sysop account could be used to add a
cross-site scripting attack to EVERY PAGE OF THE WIKI. (On some larger
wikis we have literally hundreds of sysops, who might not all be
trusted; also accounts may be compromised by various means including
unknown but limited-exposure cross-site scripting attacks.)
As such I've been gradually moving wiki messages over to be wikitext
where possible, or else plaintext (via htmlspecialchars). This is not
yet complete.
-- brion vibber (brion @
pobox.com)