Manual:$wgUseXssLanguage/zh
| 语言、区域和字符编码设置: $wgUseXssLanguage | |
|---|---|
| Whether to enable the x-xss language code, used to make checking for XSS issues more convenient. |
|
| 引进版本: | 1.41.0 (Gerrit change 959239; git #e9991ffb) |
| 移除版本: | 仍在使用 |
| 允许的值: | (boolean) |
false (but true in DevelopmentSettings.php) |
|
| 其他设置: 按首字母排序 | 按功能排序 | |
Details
Whether to enable the x-xss language code, used to make checking for XSS issues more convenient.
When this feature is enabled, the language code can be selected via the ?uselang=x-xss URL parameter.
In this fake language, every interface message becomes a simulated cross-site scripting attack, trying to run alert("message-key") JavaScript code; this simulates an attacker who can change individual messages (e.g. an administrator who can edit the MediaWiki namespace).
This feature does not affect parser output.
If any alert is shown in the browser, then the corresponding message was not escaped correctly; either the code using the message needs to be fixed, or the message key should be added to $wgRawHtmlMessages.
If you want this to also apply to messages using ->inContentLanguage(), you will need to set $wgLanguageCode = 'x-xss';.
This feature should never be enabled on a production wiki, but it can be very useful for development.