On Wed, Mar 14, 2018 at 9:14 AM, Jon Robson <jdlrobson(a)gmail.com> wrote:
It has always made me a little uneasy that there are
wiki pages where
JavaScript could potentially be injected into my page without my approval.
To be honest if I had the option I would disable all site and user scripts
for my account.
It's not particularly hard to with a browser extension, you just need to
edit ResourceLoader (load.php) URLs and remove the 'user', 'site',
'ext.gadget.*' modules.
Has this sort of thing happened before?
Outside Wikimedia, plenty.
http://www.bbc.com/news/technology-43025788 was
one of the more high-profile examples.
On Wikimedia wikis, well-intentioned but misguided uses of external scripts
are not uncommon (back when I was a fairly new admin on the Hungarian
Wikipedia, we included an AWStats counter in the page footer under an, uh,
fairly liberal interpretation of the terms of use... the developers were
not amused). As far as I am aware there was no malicious one.