Board Thread:Script Suggestions/@comment-1158325-20160320103956/@comment--20160323142314

Bobogoobo wrote: @DaNASCAT: echoing the above; how hard is it just to whitelist gadgets- pages and add the .js pages to JS Review, so that other communities can use the feature in the indeterminate amount of time it takes you to refine and implement your long-term vision?

I really don't think it's necessary to "secure" people who know what they're doing. Requiring users to find workarounds like naming pages "-js" instead of ".js" seems even less secure to me.

It's not difficult, but it requires engineering time to fully review each and every message for XSS vulnerabilities and frankly Gadgets (considering its size and scope) is simply not as important as other messages at the top of the to-do list. Gadgets is being used by just 127 communities right now. I know that some of those 127 are very big wikis, but looking at the big picture Gadgets simply is something Wikians haven't really utilized over the years and thus we're not going to be able to invest a lot into it. The "-js" method you mention shouldn't be happening as part of what our Code Review team does with each revision review is ensure the revisions meet our standards and paying close attention to imported file names is part of it.

Re: Migration plan, I do encourage communities to move away from Gadgets, but I am not forcing any community to do so. If you want to keep Gadgets as is, that's acceptable. I realize that my initial reply to Bobogoobo implied otherwise - it was poor wording on my part and I apologize.

Re: Review times, review times are good. Every analytic I've seen is that we are on average turning around a revision within 4-5 hours and we have met during the weekday a 24H SLA 98.6% of revisions. Rappy has even been kind enough to take some time out of his weekends to try to turn around weekend review faster.