In general, yes. But when dealing with things like checkuser or oversight, where JS injection could release info that sysops could not otherwise have, it makes me a bit worried, so I try to escape HTML, such as via wikitext. I suppose it is not *likely* to matter, but still, it is another gap filled.
-Aaron Schulz
To: wikitech-l@lists.wikimedia.org From: tstarling@wikimedia.org Date: Tue, 19 Feb 2008 13:46:51 +1100 Subject: Re: [Wikitech-l] [MediaWiki-CVS] SVN: [31044] trunk/phase3
Simetrical wrote:
On Feb 18, 2008 2:25 AM, tstarling@svn.wikimedia.org wrote:
- Removed nonsense warning about the output of wfMsg() not being safe for inclusion in HTML.
I assume what Erik meant there is that it may output arbitrary HTML, and we're trying to move away from allowing sysops to insert arbitrary HTML into pages.
It's safe to allow sysops to insert arbitrary HTML into pages. This is because we trust sysops. If it's unsafe to allow them to add arbitrary HTML, we should immediately remove their equally dangerous ability to edit MediaWiki:Monobook.js. But we don't, because we trust them.
A security model has to be derived from a threat model. There is no threat which would be eliminated by removing all HTML messages. There is also no threat which would be eliminated by scaremongering in source code comments for several years.
-- Tim Starling
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_________________________________________________________________ Helping your favorite cause is as easy as instant messaging. You IM, we give. http://im.live.com/Messenger/IM/Home/?source=text_hotmail_join