Hey,
Do we trust that messages do not have evil (XSS) stuff in them? The reason
why I ask is that I was just using .msg from mediawiki.jqueryMsg, and
realized that things in the message do not get escaped. Since the function
can take in HTML elements, this seems to be pretty inherent.
Is this "properly" escaped? (Any HTML in the message is not.)
http://pastebin.com/XaWL2bVJ
Cheers
--
Jeroen De Dauw
http://www.bn2vs.com
Don't panic. Don't be evil.
--