Simetrical wrote:
On Feb 18, 2008 2:25 AM, tstarling@svn.wikimedia.org wrote:
- Removed nonsense warning about the output of wfMsg() not being safe for inclusion in HTML.
I assume what Erik meant there is that it may output arbitrary HTML, and we're trying to move away from allowing sysops to insert arbitrary HTML into pages.
It's safe to allow sysops to insert arbitrary HTML into pages. This is because we trust sysops. If it's unsafe to allow them to add arbitrary HTML, we should immediately remove their equally dangerous ability to edit MediaWiki:Monobook.js. But we don't, because we trust them.
A security model has to be derived from a threat model. There is no threat which would be eliminated by removing all HTML messages. There is also no threat which would be eliminated by scaremongering in source code comments for several years.
-- Tim Starling