HTML files uploaded to the wikis are now served as plain text, so browsers will show the HTML source instead of interpreting it as a web page.
This should reduce the possibility of stealing peoples' login cookies by getting them to click on a link to an uploaded HTML file containing javascript.
(Uploading HTML files has never been recommended. Preferably host 'live' example HTML files on your own web site and link rather than uploading them to the Wikipedia server.)
-- brion vibber (brion @ pobox.com)
Brion Vibber wrote:
HTML files uploaded to the wikis are now served as plain text, so browsers will show the HTML source instead of interpreting it as a web page.
This should reduce the possibility of stealing peoples' login cookies by getting them to click on a link to an uploaded HTML file containing javascript.
(Uploading HTML files has never been recommended. Preferably host 'live' example HTML files on your own web site and link rather than uploading them to the Wikipedia server.)
bummer. :( I was using that facility to upload work on Wikipedia skins :( Any chance you could reenable it on Meta? Could you make it somehow mung any <script> elements for safety?
On Mon, 2003-09-29 at 05:26, tarquin wrote:
bummer. :( I was using that facility to upload work on Wikipedia skins :( Any chance you could reenable it on Meta?
Well, then you could only steal peoples' _meta_ passwords. :)
Actually, I haven't changed the test wiki, so you should be able to upload live HTML pages to test.wikipedia.org. No one would be using real passwords there, anyway, so the danger's just in 'annoying' javascript. (Like, open a million windows of goatse.cx and the hamster dance.)
Could you make it somehow mung any <script> elements for safety?
Hypothetically, but that's more work and very hard to do safely, and you still can't demo anything with javascript in it.
-- brion vibber (brion @ pobox.com)
wikitech-l@lists.wikimedia.org