Board Thread:General Discussion/@comment--20150814190019/@comment-2200849-20150814231547

452 wrote: Admins will be able to write JS and submit it for review. Then a group will review code changes to ensure they are both secure and don’t include any major breaking changes. That is a ridiculous solution.

I've made over 500 edits to Mediawiki:Common.js, and have 15 subscripts with many more edits. The concept of having to submit minor changes for review is preposterous.

And the concept of "all admins are guilty of adding malicious javascript until reviewed to be innocent" is insulting to all admins who have never done so.

Kirkburn wrote:

If you have specific MediaWiki messages that you think should be whitelisted for editing around Wikia, please feel free to send a note into Special:Contact about it - we do certainly anticipate expanding the current whitelist. According to Special:AllMessages, I've modified exactly 189 mediawiki messages - should I write in requesting they all be unlocked? Admins shouldn't have to use Special:Contact every time they want to edit one.

"He who sacrifices freedom for security deserves neither."

- Benjamin Franklin (Allegedly )

Sorry, I was unclear. I meant that this solution is decent enough as a short-term mitigation—but it can become inconvenient in the long run.

As for the MediaWiki namespace whitelisting, I think it would be much better to just ditch the Verbatim extension—most of its functionality can be imitated through Javascript anyways, and snippets such as Twitter widgets can be rewritten as MW extensions to provide tighter integration.