MediaWiki talk:Common.js

Submitted script change 2128988 rejected
The recently submitted change to this JavaScript page (revision 2128988) was rejected by the FANDOM review process. Please make sure you meet the Custom JavaScript guidelines.

Hey, thanks for using JS Review. I've rejected only because I'm slightly concerned about two security points. I don't like that notimodulePagename is never escaped anywhere. Potentially, if the page name had a worrying title made of dangerous code, bad things could happen. Because page names can be comprised of essentially javascript, there's reason, I think, to consider using POST over the less secure GET. You could also just not use a variable for the page you're going to display via this code. Instead, you could just make it absoluely be Template:Notimodule, and also escape that template's contents in a manner of your choosing. CzechOut 03:01, February 13, 2020 (UTC)