At one point they were briefly enabled in dev trunk and immediately
disabled for safety. :) never been enabled in production.
-- brion vibber (brion @
wikimedia.org)
On Mar 26, 2009, at 18:30, Aryeh Gregor <Simetrical
+wikilist(a)gmail.com> wrote:
On Thu, Mar 26, 2009 at 9:15 PM, Ilmari Karonen
<nospam(a)vyznev.net>
wrote:
Hmm, you're right, it does -- I didn't
realize the title was used
unescaped. That looks uncomfortably close to an XSS vulnerability
anyway. I'd feel a lot more comfortable with a htmlspecialchars() in
there. (Didn't we use to allow "<" in titles not so very long ago?
Certainly the feature that disallows HTML entities in titles is
fairly
recent.)
I'm pretty sure we haven't allowed < in titles for a long time.
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l