Board Thread:Support Requests - Getting Technical/@comment-25295528-20161017152024/@comment-28822533-20161019195255

Dessamator wrote: Rappy 4187 wrote: Dessamator wrote: Not really, Rappy's change was restoring a previous functionality that allowed XSS, http://dev.wikia.com/wiki/MediaWiki:WikiaNotification/code.js?diff=prev&oldid=37436. The person who changed it to ".text" actually made he breaking change since the script was documented as allowing anchor tags all along.

In any case, that script should be disabled until this is fixed, and should probably be reported through Special:contact/security, or maybe ask VSTF to delete (since there is no disable mechanism) the script for now. The former code was allowed in-as-such as the message itself would have to be reviewed for security purposes regardless. True, but it was a dangerous gamble because someone could have set that variable through another unrelated script making it harder to detect:

var name = "wikianotifs" var a = "..." console.log(window[name] = a )

Or even simpler, set up a script that retrieves variables from a mediawiki page, much like the ProfileTags script.

Not to mention the fact that constant reviews for minor changes such as simple text is what this thread is all about. They are quite simply unnecessary. Converting, disallowing or escaping are better alternatives. I felt the need to join in with this conversation and say that I was making a widget on a wiki site-wide that uses an iframe and unintentionally didn't escape some of the user input which could have led to easy XSS exploitation... it's fixed now and the safe revision is live but point being Wikia are not 100% perfect with code reviews as at the time the vulnerable code was approved. I don't think Fandom regard me as a suspicious user so they probably leaned towards approving the code rather than checking it properly in the first place.