Thread:ShinyAfro/@comment-188432-20180823182945/@comment-27345308-20180824105254

Sorry for jumping in, but... CzechOut wrote: We kinda think that if a category has a name of, say,  — something that's perfectly legal under MW naming conventions — the script will be vulnerable. How is that [//community.wikia.com/wiki/Category:%3Cscript%3Ealert(%22A%22);%3C/script%3E perfectly legal under MW naming conventions]? If it was, there would be far more security issues not only in Wikia's codebase but in vanilla MediaWiki as well, I'm pretty sure. CzechOut wrote: Additionally, in the expression, it seems entirely possible that val could be HTML — a risky situation since that whole thing is directly inserted into the   function.
 * 1) If I'm reading the code correctly,   is a category name, which cannot contain &lt; and &gt;, characters without which no inserting HTML tags is possible.
 * 2)   sends the wikitext for parsing to MediaWiki and then inserts it into the DOM. If inserting parsed wikitext was a security issue Wikia would have way more problems than just with a script.