[Mediawiki-l] Question about recursiveTagParse()
Vadtec
vadtec at vadtec.net
Mon Jun 14 00:40:11 UTC 2010
Greetings all,
I'm not sure if this is the right mailing list to be posting this question to,
so if I should be posting to mediawiki-api, please let me know. (I think I'm in
the right spot though.)
I have a question about recursiveTagParse(). Is it XSS safe? As in, do I need to
escape its output with htmlspecialchars() or does it take care of that for me?
I am writing a tag extension, and I need it to be able to parse wiki text. I
have followed the instructions at
http://www.mediawiki.org/wiki/Manual:Tag_extensions#Version_1.8_to_version_1.15
(I am running MW 1.15.4), but it doesn't specify if the output is XSS safe or not.
Erring on the side of caution, I have pre-escaped all of my user supplied
variables with htmlspecialchars(), but if I could avoid this step it would be
wonderful, both for the simplicity of coding and performance.
Thanks for any advice you can offer, it's much appreciated.
- Vadtec
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
Url : http://lists.wikimedia.org/pipermail/mediawiki-l/attachments/20100613/759fd383/attachment.pgp
More information about the MediaWiki-l
mailing list