Board Thread:Support Requests - Getting Technical/@comment-25295528-20161017152024/@comment-24473195-20161019085348

Rappy 4187 wrote: Dessamator wrote: Not really, Rappy's change was restoring a previous functionality that allowed XSS, http://dev.wikia.com/wiki/MediaWiki:WikiaNotification/code.js?diff=prev&oldid=37436. The person who changed it to ".text" actually made he breaking change since the script was documented as allowing anchor tags all along.

In any case, that script should be disabled until this is fixed, and should probably be reported through Special:contact/security, or maybe ask VSTF to delete (since there is no disable mechanism) the script for now. The former code was allowed in-as-such as the message itself would have to be reviewed for security purposes regardless. True, but it was a dangerous gamble because someone could have set that variable through another unrelated script making it harder to detect:

var name = "wikianotifs" var a = "..." console.log(window[name] = a )

Or even simpler, set up a script that retrieves variables from a mediawiki page, much like the ProfileTags script.

Not to mention the fact that constant reviews for minor changes such as simple text is what this thread is all about. They are quite simply unnecessary. Converting, disallowing or escaping are better alternatives.