For javascript taking stuff from data attributes - if the data attributes are not user controlled, use names starting with data-mw (e.g. instead of data-newsletter-id use data-mw-newsletter-id) unless you have a good reason not to. This prevents users from forging data attributes. In the context of this extension, it doesn't appear that user forging is an actual issue, however using the data-mw convention helps future proof things against any later changes where such an issue might be relavent.
Description
Description
Details
Details
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
Use data-mw-newsletter-id instead of data-newsletter-id | mediawiki/extensions/Newsletter | master | +4 -4 |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Duplicate | Qgil | T125545 Phabricator Q&A session for Community Liaisons | |||
Resolved | Qgil | T116025 Goal: Align Community Liaison and Developer Relations project management practices | |||
Resolved | Qgil | T119387 Community Liaison and Developer Relation quarterly goals for January - March 2016 | |||
Declined | None | T104131 Exporting existing newsletter to the Newsletter extension | |||
Resolved | Addshore | T110170 Goal: Deploy Newsletter extension in Wikimedia | |||
Duplicate | None | T115098 Deploy Newsletter extension in beta cluster | |||
Resolved | ori | T127297 Add the Newsletter extension to the Beta Cluster | |||
Resolved | Bawolff | T115095 Security review of Newsletter extension | |||
Resolved | 01tonythomas | T159085 [Security] Improve data attribute naming to avoid forge |
Event Timeline
Comment Actions
Change 340655 had a related patch set uploaded (by MtDu):
[mediawiki/extensions/Newsletter] Use data-mw-newsletter-id instead of data-newsletter-id
Comment Actions
[rm tag security-review. That should only be on the parent bug requesting the security review]
Comment Actions
Change 340655 merged by jenkins-bot:
[mediawiki/extensions/Newsletter@master] Use data-mw-newsletter-id instead of data-newsletter-id