Daniel Friesen wrote:
We can kill html messages over time (and it would definitely be a good idea anyways). Messages for .js can be rejected from the localized downloads. And frankly killing the inclusion of .js and .css from the i18n space would be good too.
Principle of least permission, if we have to download i18n then at the very least we shouldn't allow that format to inject php and turn everyone's vps servers into a big botnet.
Man, that kills all the fun :)
Also, that means that we have an excuse for holing those pesty firewalls that don't allow us to "enable" their site [1].