Magnus Manske wrote:
Brion Vibber schrieb:
* Lack of HTML-safety on the UI interface: as a
quick hack I added
htmlspecialchars() guards, but things really should be changed to use
wikitext where appropriate; several of the UI messages are currently
displaying raw HTML tags.
Well, they didn't show that raw HTML when I checked 'em in. I'm pretty
sure of that one. I'll see if I can fix that.
Well, when you checked it in there were several cross-site scripting
vulnerabilities. :)
I did a fairly blanket addition of protection by escaping output,
including the UI messages, but some of the messages are apparently meant
to be HTML. These should if possible be rewritten; where not possible
they should be carefully examined.
Note that we're working on a progressive replacement of all raw HTML
user-editable UI messages with explicit plaintext (originally implied)
or formatted wikitext. Right now sysops have to be trusted enough not to
insert JavaScript or other attacks which could strike at every visitor
to the site; with hundreds of sysops on our largest projects it's
dubious that we really can extend that degree of trust indefinitely.
Anyway, we can turn this on with a few days (weeks?)
delay, just in
case. No need to rush, at least not a technical one ;-)
Right.
-- brion vibber (brion @
pobox.com)