On Mon, 21 Jan 2013 21:50:32 -0800, Alex Brollo <alex.brollo(a)gmail.com>
wrote:
I tried to build a template which wraps template
parameters into data-
attributes. First results have been incouraging, then I find something
logical but unexpected, crushing the whole idea.
I wrote into the code of an infobox-like template something like this:
<span data-author="{{{author}}}"
data-birthdate="{{{birthDate}}}"....></span>
and I very happily see that html code had my data wrapped into such span
tags.
But.... I was testing my code with clean templates, t.i.: templates which
have no wikicode into parameter values (as usually occurs into
it.wikisource). As soon as I tested my idea into another project
(Commons)
I found that any wikicode (template call, parameter, link....) present
into
the value of infobox parameter breaks the stuff, since it is parsed and
expanded by parser with unpredictable results.
So... I ask you again: is there any sound reason (i.e. safety related,or
server loading related ) reason to avoid that HTML comments, wrapped into
raw page wikicode are sent back into html rendering as-they-are?
Alex brollo
Yes.
Thanks to IE, even comments can actually be treated as raw html and end up
executing scripts opening up XSS holes in the wiki.
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://danielfriesen.name/]