On Mon, 21 Jan 2013 21:50:32 -0800, Alex Brollo alex.brollo@gmail.com wrote:
I tried to build a template which wraps template parameters into data- attributes. First results have been incouraging, then I find something logical but unexpected, crushing the whole idea.
I wrote into the code of an infobox-like template something like this:
<span data-author="{{{author}}}" data-birthdate="{{{birthDate}}}"....></span>
and I very happily see that html code had my data wrapped into such span tags.
But.... I was testing my code with clean templates, t.i.: templates which have no wikicode into parameter values (as usually occurs into it.wikisource). As soon as I tested my idea into another project (Commons) I found that any wikicode (template call, parameter, link....) present into the value of infobox parameter breaks the stuff, since it is parsed and expanded by parser with unpredictable results.
So... I ask you again: is there any sound reason (i.e. safety related,or server loading related ) reason to avoid that HTML comments, wrapped into raw page wikicode are sent back into html rendering as-they-are?
Alex brollo
Yes.
Thanks to IE, even comments can actually be treated as raw html and end up executing scripts opening up XSS holes in the wiki.