Board Thread:General Discussion/@comment-25523075-20150727172451/@comment-24473195-20150727212535

Cqm wrote: The code-editor group was designed to alleviate the issues to a degree, as it adds a layer of security to js pages on dev wiki. However, the group is only added to accounts with demonstrable knowledge of js leaving the current flaw.

In an ideal world we'd use global gadgets, but that's not going to happen in the foreseeable future. It is a shame that there is no way we can do sanity checks on codes loaded using js. Otherwise it would be a simple matter to see if the code is doing what the author claims it does.

That's why I prefer using lua modules, although they can't be used for every situation, the testcases I generally put in dev wiki can at least give some indication of how it'll work,  with a bit of js they could even be designed to appear automatically for every module.

A white-list seems to be the best course of action for js pages. Dev wiki admins can gradually add scripts every so often, and links to every other script will simply be ignored by "import".