Board Thread:Code Review/@comment-4356266-20151008134915/@comment-4356266-20151011162126

Dessamator wrote: I'm not sure why you're allowing anchor links there in the first place. If you opt to accept wikitext only, just use the action parse api (https://www.mediawiki.org/wiki/API:Parsing_wikitext).

It automatically sanitizes all the data, see (https://www.mediawiki.org/wiki/Manual:Parser.php#Description) for more information. It will also remove  (or escape) any anchor links as those aren't valid wikitext.

In my opinion allowing raw html is a bad idea. What are the differences of using api versus action=render? I write the script on the assumption that action=render also sanitizes data to some degree, as if the page content were to be displayed. An unrelated incident where I tried to add onclick directly to a page, and it being removed on the rendered page convinces me of that.