Last modified: 2012-08-30 16:29:56 UTC
While testing the long filenames issue, I noticed that the super-long Belorussian monument name actually contains a literal "<br />" tag. This is being output unescaped into the app's HTML document, appearing as a line break. This is an HTML injection vector which is at best fragile and at worst a security danger. It looks like the <%= foo %> syntax in the template doesn't do any escaping... this should be fixed, or else explicit HTML escaping needs to be added to everything we output.
IMO this should be prioritized above all other outstanding issues and dealt with prior to launch.
Marking as blocker.
Per http://underscorejs.org/#template we should use <%- foo %> to get escaping. Nice!
https://github.com/wikimedia/WLMMobile/pull/217