ee4d5c6eed
tl;dr: Having unnessary complexity in security critical code is bad.
* Extra options add extra complexity and maintenance burden
** Thus we should only have one html output mode. well formed = false
was already vetoed in T52040, so lets go with WellFormed=true.
* Options which are used by very few people tend to get tested less
* Escaping is an area of code where we should be very conservative
* Having escaping rules depend on making assumptions about which
characters various browsers consider "whitespace" is scary
* $wgWellFormedXml=false has had a negative security impact in the
past (Usually not directly its fault, but has made other bugs
more exploitable)
* Saving a couple bytes (even less bytes after gzip taken into
account) is really not worth it in this context (imho).
Change-Id: I5c922e0980d3f9eb39adb5bb5833e158afda42ed
|
||
|---|---|---|
| .. | ||
| MagicVariableTest.php | ||
| MediaWikiParserTest.php | ||
| NewParserTest.php | ||
| ParserMethodsTest.php | ||
| ParserOutputTest.php | ||
| ParserPreloadTest.php | ||
| PreprocessorTest.php | ||
| TagHooksTest.php | ||
| TidyTest.php | ||