Last modified: 2005-07-27 01:50:54 UTC
Is it just me, or is the ability to edit another user's monobook.js file to execute arbitrary code a huge security breach? For instance, I was able to use my regular account to modify my test account to load up the betterhistory script the next time I logged in: http://en.wikipedia.org/w/index.php?title=User:Omegatron_test_account/monobook.js&action=history by adding the line document.write('<script src="http://gladstone.uoregon.edu/~chill1/betterhistory/betterhistory.js"><\/script>'); User:Colin Hill is all worried that you should check his page's history before you copy and paste this line, since someone could edit his page and change the line to their own script. But they could just edit your user js themselves if they wanted to do that! "First, check this page's history to make sure you aren't installing something else by mistake." http://en.wikipedia.org/wiki/User:Colin_Hill/BetterHistory I'm going to mark this as super-bad so people see it, and not going to mention it anywhere else. If I'm being paranoid and don't know what I'm talking about, just downgrade it and yell at me that I'm an idiot and need to RTFM or whatever.
Oh this is just because I'm an admin isn't it? Whoops.
One cannot edit another user's monobook.js unless one is a sysop.
(In reply to comment #2) > One cannot edit another user's monobook.js unless one is a sysop. I just figured that out. Sorry.
