a) Available to sysops of particular project only
No, it applies to all user scripts. I doubt that every user who is including
them in their profile is doing a security audit of the JavaScript.
b) Monitored, is in watchlists and under revision
control.
see a). User scripts are not in revision control (apart from the MediaWiki
history).
c) General codebase is constantly monitored for XSS
problems.
see a). This alredy applies to user scripts. The reverse proxy will not
open
any new security holes. I could already hide code which sends the session
keys through embedded iframes to any server in the world in my user
Javascripts, such as the WikiMiniAtlas (which is even included by default).
--
http://en.wikipedia.org/wiki/User:Dschwen
http://de.wikipedia.org/wiki/User:Dschwen
http://commons.wikipedia.org/wiki/User:Dschwen
http://meta.wikipedia.org/wiki/User:Dschwen