Nick Jenkins wrote:
- Why does MediaWiki ever allow unescaped ">" characters? This
behaviour seem to increase the chances of a JavaScript security problem.
It doesn't, modulo uncaught bugs.
Well, all I can tell you is that this is the behaviour that I observe.
That's why they're called "bugs".
Question: will this break wikis with $wgRawHtml on? (Used to embed arbitrary HTML.)
Arbitrary HTML, by being arbitrary, does not have attribute normalization applied to it.
Instead, we now have one article, and one template. For the template (call it "Template:OpenTag") we have:
{| BGCOLOR=<span style="font-weight: bold;">
Then in the article we have:
{{OpenTag}}
Which now renders as this HTML output:
<p>>>>>> </p> <table bgcolor="<span">
I'm afraid I can't reproduce your output here; I see:
--------------------------- <table bgcolor="<span">
<tr><td></td></tr> ---------------------------
Are you keeping up to date with the code?
-- brion vibber (brion @ pobox.com)