Security auditing and response

Rationale
Insecure code sucks :-)

Review queue
New requests for review should be added in Phabricator under the "Security-Reviews" project. A list of open security review requests can be found there.

The list below is obsolete as of December 2014, and should be removed as soon as we know that all of the open items are properly tracked in Phabricator.


 * Wikidata Property Suggester
 * Extension:Petition (bug 65850, 65849)
 * Extension:Mantle (bug 66238)
 * Flow Templates, based on Mantle
 * Extension:Petition
 * FundraisingChart
 * Extension:BounceHandler
 * Extension:Graph
 * ImageMetrics
 * Extension:RecentActivityFeed
 * on hold
 * Ex:Graph re-review
 * IEG Review App
 * #lsth part of Extension:Labeled_Section_Transclusion
 * WikibaseQuery / WikibaseQueryEngine
 * On hold, Pending discussion of 3rd-party component inclusion
 * WikiGrok
 * OOjs UI (PHP Implementation)
 * SandboxLink extension
 * GlobalUserPage
 * Aphlict (for Phabricator notifications)
 * Sprint (for Phabricator)
 * Varnishtee
 * Plancake email parser (bug 72956)
 * Ex:ContentTranslation (T85686)
 * Raven.js (part of T86677)
 * ApiFeatureUsage
 * liuggio/statsd-php-client (T90409)
 * Extension:Josa (T88261)
 * Wikimetrics for production
 * OCG service
 * TimedMediaHandler v2
 * Graphite
 * Ex:Math
 * ExtraLanguageLink
 * TwitterCards (bug 64967)
 * In other projects sidebar beta feature (bug 66850)
 * PubSubHubub (bug 67118)
 * Limn
 * Limn

Reviewed

 * Wikibase client LinkItem
 * User Metrics API - Re-reviewing fixes in Dev Env
 * EasyRDF (for Wikidata)
 * Ex:OpenID
 * Multimedia Extesions
 * Flow
 * GLAM Upload
 * Wikimania Scholarship Application
 * Ex:Popups (bug 61743)
 * Compact interlanguage links
 * Flow's new templating engine (https://gerrit.wikimedia.org/r/#/c/103317/)
 * Twig (for use with Fundraiser code) v1.13 (https://gerrit.wikimedia.org/r/#/admin/projects/wikimedia/fundraising/twig)
 * Hadoop / Kafka (Kraken) infrastructure (bug 60632)
 * Camus
 * Varnishkafka