Edward Z. Yang wrote:
Simetrical wrote:
Well, I've said all that to Brion, but he didn't agree. :) He wants to get rid of all HTML-permitting messages. Actually, I think part (most? all?) of his concern is that sysops shouldn't be expected to know HTML, or to be capable of outputting remotely valid HTML, and so formatting should always be achieved via wikitext. Or something like that. It's been a while.
It sounds like (and I don't know what Brion is thinking, but here's my humble opinion)
Well, to speak for myself... :)
There are several basic issues which lead me to prefer a minimization of raw HTML messages:
* Consistency (principle of least surprise)
Some messages are raw HTML, some are wikitext, some are plain text... it gets confusing when you're trying to customize something and you didn't know ahead of time what did what.
Reducing/eliminating at least one of those possibilities makes it easier to predict what will happen when you customize a message, and that's a good thing.
* Correctness
HTML is fragile, and when mistakes are made customizing the raw HTML, things can break in... interesting ways. :) Worst case, in full XHTML mode you just won't be able to see the site in your browser anymore after breaking the markup.
In theory, wikitext messages are more robust. In practice, we currently skip some of the HTML validation on wikitext messages for performance reasons, so this is presently limited.
* Security (principle of least privilege)
The number of sysops continues to grow on large sites like Wikipedia; the trouble of an admin account run amok also increases. One of the potential dangers is injecting JavaScript into the HTML that all other users load.
Reducing the ability to edit raw HTML/JS/CSS editing to a smaller user group would decrease the attackable surface. As long as we use raw HTML messages, the privilege to customize those UI translations implies the ability to inject global JavaScript.
If we separate the customization and translation of UI strings from the customization of global CSS and JavaScript, it would then become possible to separate those two privileges to differently-sized and differently-vetted groups.
-- brion vibber (brion @ wikimedia.org)