On Tue, Jan 22, 2013 at 3:53 AM, Daniel Friesen daniel@nadir-seen-fire.com wrote:
On Mon, 21 Jan 2013 21:50:32 -0800, Alex Brollo alex.brollo@gmail.com wrote:
I tried to build a template which wraps template parameters into data- attributes. First results have been incouraging, then I find something logical but unexpected, crushing the whole idea.
I wrote into the code of an infobox-like template something like this:
<span data-author="{{{author}}}" data-birthdate="{{{birthDate}}}"....></span>
and I very happily see that html code had my data wrapped into such span tags.
But.... I was testing my code with clean templates, t.i.: templates which have no wikicode into parameter values (as usually occurs into it.wikisource). As soon as I tested my idea into another project (Commons) I found that any wikicode (template call, parameter, link....) present into the value of infobox parameter breaks the stuff, since it is parsed and expanded by parser with unpredictable results.
So... I ask you again: is there any sound reason (i.e. safety related,or server loading related ) reason to avoid that HTML comments, wrapped into raw page wikicode are sent back into html rendering as-they-are?
Alex brollo
Yes.
Thanks to IE, even comments can actually be treated as raw html and end up executing scripts opening up XSS holes in the wiki.
Seconded. There is really no safe way to allow comments through.