Just a guess: MediaWiki:Onlyifediting.js needs to be fixed for a recent change in the <charinsert> extension, see https://lists.wikimedia.org/pipermail/wikitech-ambassadors/2016-May/001417.html.

Probably documenting this somehow on MediaWiki.org will also do a world of good since it is also a extremely popular extension with non WMF wikis according to WikiApiary.

In T137955#2385393, @Kghbln wrote:

Probably documenting this somehow on MediaWiki.org will also do a world of good since it is also a extremely popular extension with non WMF wikis according to WikiApiary.

It'd only apply if they also copied really old versions of wikipedia javascript.

the [[s:de:mediawiki:OnlyIfEditing.js]] is full of Cross-site-scripting vulnerabilities.

It'd only apply if they also copied really old versions of wikipedia javascript.

Ah ok and thanks for clarifying! Did some fluff to the extension's page but I basically just expanded the info in the extensions box.

@Bawolff: Are you going to repair the errors?

Yes I am. Sorry for the delay. I havent had a chance to look at it in detail and The script is more complicated then the ones other wikis use

Hmm. https://de.wikisource.org/wiki/MediaWiki:ExternImage.js is also a violation of the privacy policy (Loading external images gives info to third parties), and also an xss via javascript: urls

Don't suppose we could just delete a good portion of the site js on dewikisource...?

My apologies for taking so long to respond.

@THE_IT, can you make the changes suggested at https://de.wikisource.org/wiki/MediaWiki_Diskussion:Onlyifediting.js#Fixes_for_charinsert_changes.

@Bawolff, we applied the fix which solved the initial issue. Thank you. According to the CSS vulnerabilities, let us know if you need support from our side.

In T137955#2396561, @Bawolff wrote:

Hmm. https://de.wikisource.org/wiki/MediaWiki:ExternImage.js is also a violation of the privacy policy (Loading external images gives info to third parties), and also an xss via javascript: urls

@Aschroet and @THE_IT, the ExternImage.js script seems to be a pretty big problem. Loading images from an external site without the user's consent is a violation of our privacy policy. In particular, we need to clearly inform everyone which third parties are getting any information the external image hosting service is getting (see "When we may share" in our privacy policy).

How exactly is ExternImage.js being used?

We will trigger a request for deletion of https://de.wikisource.org/wiki/Vorlage:ExtImage. This should be the only template which uses the vulnerable code.

In T137955#2486384, @THE_IT wrote:

We will trigger a request for deletion of https://de.wikisource.org/wiki/Vorlage:ExtImage

Deletion has been proposed in https://de.wikisource.org/wiki/Vorlage:ExtImage , decision after four weeks.

In T137955#2543529, @Aklapper wrote:

Deletion has been proposed in https://de.wikisource.org/wiki/Vorlage:ExtImage , decision after four weeks.

I pinged on https://de.wikisource.org/wiki/Wikisource:L%C3%B6schkandidaten#Vorlage:ExtImage whether there are any news.

problematic code was deleted