On Thu, Dec 12, 2013 at 7:21 AM, Brian Wolff bawolff@gmail.com wrote:
I actually feel the opposite. Point #1 does not make core development much harder. There's the occasional issue with local customization, but in my experience these types of issues are few and far between. Point #2 does scare me a little bit, particularly on the non enwikipedia sites. I agree with Chad that anecdotes in this area probably have more to do with no one looking, than any actual greater security.
--Bawolff
I'll compile hard numbers when I have some free time, but I strongly agree with Bawolff here. Site javascript has a significant percentage of the totally xss'es we've fixed, and almost no one is reviewing them.