Hey,
Do we trust that messages do not have evil (XSS) stuff in them? The reason why I ask is that I was just using .msg from mediawiki.jqueryMsg, and realized that things in the message do not get escaped. Since the function can take in HTML elements, this seems to be pretty inherent.
Is this "properly" escaped? (Any HTML in the message is not.) http://pastebin.com/XaWL2bVJ
Cheers
-- Jeroen De Dauw http://www.bn2vs.com Don't panic. Don't be evil. --