Security auditing and response

Rationale
Insecure code sucks :-)

Review queue
This list may not be complete (possibly due to missing one out, or security reasons for not putting this out there), and may not be in priority order.


 * Wikidata Property Suggester
 * Extension:Petition (bug 65850, 65849)
 * Extension:Mantle (bug 66238)
 * Flow Templates, based on Mantle
 * Extension:Petition
 * FundraisingChart
 * Extension:BounceHandler
 * Extension:Graph
 * ImageMetrics
 * Extension:RecentActivityFeed
 * Ex:Graph re-review
 * IEG Review App
 * #lsth part of Extension:Labeled_Section_Transclusion
 * WikibaseQuery / WikibaseQueryEngine
 * On hold, Pending discussion of 3rd-party component inclusion
 * WikiGrok
 * OOjs UI (PHP Implementation)
 * SandboxLink extension
 * GlobalUserPage
 * Aphlict (for Phabricator notifications)
 * Sprint (for Phabricator)
 * Varnishtee
 * Plancake email parser (bug 72956)
 * TimedMediaHandler v2
 * Graphite
 * Ex:Math
 * ExtraLanguageLink
 * TwitterCards (bug 64967)
 * In other projects sidebar beta feature (bug 66850)
 * PubSubHubub (bug 67118)
 * Limn
 * PubSubHubub (bug 67118)
 * Limn

Reviewed

 * Wikibase client LinkItem
 * User Metrics API - Re-reviewing fixes in Dev Env
 * EasyRDF (for Wikidata)
 * Ex:OpenID
 * Multimedia Extesions
 * Flow
 * GLAM Upload
 * Wikimania Scholarship Application
 * Ex:Popups (bug 61743)
 * Compact interlanguage links
 * Flow's new templating engine (https://gerrit.wikimedia.org/r/#/c/103317/)
 * Twig (for use with Fundraiser code) v1.13 (https://gerrit.wikimedia.org/r/#/admin/projects/wikimedia/fundraising/twig)
 * Hadoop / Kafka (Kraken) infrastructure (bug 60632)
 * Camus
 * Varnishkafka