Magnus Manske wrote:
Brion Vibber schrieb:
- Lack of HTML-safety on the UI interface: as a quick hack I added
htmlspecialchars() guards, but things really should be changed to use wikitext where appropriate; several of the UI messages are currently displaying raw HTML tags.
Well, they didn't show that raw HTML when I checked 'em in. I'm pretty sure of that one. I'll see if I can fix that.
Well, when you checked it in there were several cross-site scripting vulnerabilities. :)
I did a fairly blanket addition of protection by escaping output, including the UI messages, but some of the messages are apparently meant to be HTML. These should if possible be rewritten; where not possible they should be carefully examined.
Note that we're working on a progressive replacement of all raw HTML user-editable UI messages with explicit plaintext (originally implied) or formatted wikitext. Right now sysops have to be trusted enough not to insert JavaScript or other attacks which could strike at every visitor to the site; with hundreds of sysops on our largest projects it's dubious that we really can extend that degree of trust indefinitely.
Anyway, we can turn this on with a few days (weeks?) delay, just in case. No need to rush, at least not a technical one ;-)
Right.
-- brion vibber (brion @ pobox.com)