Dschwen wrote:
It does if it's a pure proxy with no access control because I could say "Hey, Bryan load http://commons.wikimedia.org/w/api.php?tsproxy=~evil/evil.js ".. and you follow the link and evil js happily steals your session cookie and begins to replace every image with goatse.
Then I should point out that this very thing is currently possible with this link: http://commons.wikimedia.org/wiki/Eurotunnel?withJS=User:Dschwen/evil.js%26M...
Uhm, actually this wasn't supposed to work, but the security checks on the withJS thingie are a little flaky. I'll fix this in a minute.
Seems the review process didn't work so well, Domas. Even worse, when it was published (two months ago) the publication notice included "As it's a potential XSS vector, those able please help reviewing it, to verify the code is safe." :(