If the developer setting $wgUseXssLanguage is set to true, then an “x-xss”
language code becomes available and can be selected with *?uselang=x-xss*
in the URL. When using this language code, all messages become “malicious”:
every message is replaced by a snippet of HTML that tries to run alert('
*message-key*').
Clever feature - this will be great for testing. Thank you!
-Yaron
--
WikiWorks · MediaWiki Consulting ·
http://wikiworks.com