Board Thread:Code Review/@comment-24728531-20151119154617/@comment-24473195-20151230114013

I noticed that nobody reviewed the script, and so you've published it. But there a couple of possible security exploits:


 * You set the data without sanitizing it:

var imgLink = $that.find('.MedalListLinkImage').val; var titleNew = $that.find('.MedalListTitle').val; var nameNew = $that.find('.MedalListName').val; var prevName = $that.find('.MedalListName').attr('data-prev'); $that.find('.MedalImagePreview img') .attr('src', imgLink) .attr('title', titleNew) .attr('data-prev', nameNew);

Read through these to get acquainted with mediawiki best practices:
 * https://www.mediawiki.org/wiki/Security_for_developers/Tutorial
 * https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Given these attack vectors I highly doubt Wikia will allow this code to run in any wikia.