Board Thread:General Discussion/@comment--20150814190019/@comment-13825175-20150815083318

Here is my ideas :
 * Remove the login form in all pages, force the login thought Special:UserLogin where JS codes are not executed, so no possibility to get the password from here, avoiding the using on Special:ChangePassword by a script to change the user password.
 * Avoid email changes by scripts or send a email confirmation to allow the change, avoiding a script to change the email and ask for a new password thought email.
 * Detect malicious script with some regex, for example, let allbody edit JS and ask for a review all scripts with a action=delete in a loop, preferences modifications, ask for Special:ChangePassword page... Ask all codes for a review could lead to chaos, because mostly, the majority of js modifications are minor changes.
 * For review, like I read above, there is no need they are all admins but they have to be trustworthy.