In my opinion, such accounts should be globally blocked btw. It is a grave breach of trust and such accounts cannot be trusted anywhere else either. Thanks for playing, but goodbye for ever.
DJ
On Wed, Mar 14, 2018 at 3:42 PM, Brian Wolff bawolff@gmail.com wrote:
On Wednesday, March 14, 2018, David Gerard dgerard@gmail.com wrote:
What ways are there to include user-edited JavaScript in a wiki page?
I ask because someone put this revision in (which is now deleted):
https://fa.wikipedia.org/w/index.php?title=%D9%85%D8%AF%DB%8C%D8%A7%D9%88%DB...
You can't see it now, but it was someone including a JavaScript cryptocurrency miner in common.js!
Obviously this is not going to be a common thing, and common.js is closely watched. (The above edit was reverted in 7 minutes, and the user banned.)
But what are the ways to get user-edited JavaScript running on a MediaWiki, outside one's own personal usage? And what permissions are needed? I ask with threats like this in mind.
- d.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
You need editinterface, edituserjs, or some of the centralnotice related rights (or the steward related rights to give yourself these rights).
Any method that does not involve editinterface or a related right that is normally restricted to administrator (or higher group) should be considered a serious security issue in mediawiki and reported immediately.
-- Brian Wolff _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l