Last modified: 2012-10-29 18:10:15 UTC
Create a new link in the visual editor. Add this text as the link target (including quotes exactly): " onmouseover="alert(document.cookie)" alt= When mousing over the link in the editor, you'll get an alert popup with cookie contents. Same occurs in the HTML serialization ("preview"). I notice that ve.Html.makeAttributeList() doesn't do any escaping. Changing it locally to escape the text before putting it into an attribute seems to help on the preview (HTML serialization) but not in the editor.
This is a bug report against old code, but the new code had a similar issue. Now fixed with https://gerrit.wikimedia.org/r/#/c/12550/1
Mass-moving old VisualEditor tickets to the VE product. Search for this message to mass-delete bugmail.
Noting bugs closed in the 2012-10-15 release.