BreadCrumbs2 - What's wrong with it?
Ack! An extension I'm using has been marked as a "Code Injection" risk.
Why was it marked and how do I fix it?
Also, is it an issue of the wiki or the MediaWiki:Breadcrumbs page are read-only to all but Administrators?
The hole is due to the use of preg_replace's /e flag.
Frankly the whole code of the extension is a poorly coded mess. The extension is all over the place with bad string comparisons instead of using Title methods, hardcoded url building, etc...