On Thu, Dec 12, 2013 at 7:21 AM, Brian Wolff <bawolff(a)gmail.com> wrote:
I actually feel the opposite. Point #1 does not make
core development
much harder. There's the occasional issue with local customization,
but in my experience these types of issues are few and far between.
Point #2 does scare me a little bit, particularly on the non
enwikipedia sites. I agree with Chad that anecdotes in this area
probably have more to do with no one looking, than any actual greater
security.
--Bawolff
I'll compile hard numbers when I have some free time, but I strongly agree
with Bawolff here. Site javascript has a significant percentage of the
totally xss'es we've fixed, and almost no one is reviewing them.