Board Thread:General Discussion/@comment--20150814190019/@comment-2200849-20150815095904

Gguigui1 wrote: Here is my ideas :
 * Remove the login form in all pages, force the login thought Special:UserLogin where JS codes are not executed, so no possibility to get the password from here, avoiding the using on Special:ChangePassword by a script to change the user password.
 * Avoid email changes by scripts or send a email confirmation to allow the change, avoiding a script to change the email and ask for a new password thought email.
 * Detect malicious script with some regex, for example, let allbody edit JS and ask for a review all scripts with a action=delete in a loop, preferences modifications, ask for Special:ChangePassword page... Ask all codes for a review could lead to chaos, because mostly, the majority of js modifications are minor changes.
 * For review, like I read above, there is no need they are all admins but they have to be trustworthy.
 * The old login form is already due to be removed when the Helios authentication platform goes live.
 * There is no regex to detect malicious Javascript. You could write it a thousand ways, obfuscate it, etc.—the only way to detect them is through a review by another human. This code review system will certainly have a rough start, but the morebthe code library gets populated with pre-reviewed snippets, the easier it will become to implement common changes.