Extension talk:NamespaceReadRestrict

Security concerns about use of isset
If I recall correctly, the use of isset is an XSS vulnerability.--Jasper Deng (talk) 01:44, 12 September 2012 (UTC)
 * I did a cursory google search and checked security for developers. I see nothing along those lines; let me know if you come up with anything. Leucosticte (talk) 02:26, 12 September 2012 (UTC)
 * See Security for developers and Template:Page security extension disclaimer.--Jasper Deng (talk) 02:38, 12 September 2012 (UTC)
 * OK, I got rid of isset. I don't quite see what you're getting at with the latter link. Is the recently-added TitleReadWhitelist a secure means of accomplishing per-page restriction? If so, what is the issue you are concerned about? Leucosticte (talk) 13:39, 12 September 2012 (UTC)
 * The use of isset allows XSS via register_globals. I'm not a proficient developer so you'd have to ask another developer exactly why this is a problem. However, your extension looks good now so I'm upgrading it. When it has been tested enough it can be given stable status.Jasper Deng (talk) 17:33, 12 September 2012 (UTC)