MediaWiki talk:Userjsdangerous

About
I split this message out of MediaWiki:Clearyourcache in order to transclude it on a number of interface pages. I've filed a bug report at 14534 to hopefully get this its own system message. Only having this warning message on a single page that is easily bypassed was sort of freaking me out. --- RockMFR 03:29, 14 June 2008 (UTC)

Also, this message is still a bit too alarmist and not informative enough for my tastes. Probably would be good to make a simple "how to stay secure" guide somewhere. --- RockMFR 03:35, 14 June 2008 (UTC)


 * The split out was a good thing. I don't have much of a point of view on the text content. But yeah, a link to some longer explanation could be good, when someone has written such a guide.
 * --David Göthberg (talk) 22:46, 29 October 2008 (UTC)

Too many places
I suggest this warning is only trancluded into Usercsspreview, Userjspreview and Usercssjsyoucanpreview which are displayed when user is actually editing js/css file. The warning should be removed from: —AlexSm 04:08, 2 July 2008 (UTC)
 * Clearyourcache so it's not displayed on other users' pages,
 * Userinvalidcssjstitle because editing a custom (non-skin) js/css file is not dangerous by itself.


 * I think it should be kept on MediaWiki:Userinvalidcssjstitle, since I can imagine a number of cases when editing a non-standard CSS page can be dangerous.
 * --David Göthberg (talk) 22:46, 29 October 2008 (UTC)


 * I see the message is still in Clearyourcache. At least you could use different warnings in different places. When I (non-admin) look at other user's monoook.js, I see pinkish "Code that you insert on this page ... code you are adding to this page ..." which is simply misleading. —AlexSm 21:32, 3 March 2009 (UTC)


 * AlexSm: Unfortunately we have no way from template coding (or CSS) to detect which user is visiting the page. Thus we can not make it so the warning only shows when the user who's user CSS page it is (who can edit the page) is visiting. We could do it with javascript, but adding more code to the global javascripts would slow down page load and rendering for all other pages. Besides, most users don't visit other user's CSS pages. And I guess that most users who do visit other user's CSS pages are a bit more knowledgeable than the average user, thus they probably understand the message is not for them.
 * So, I think we have to live with the same message being shown to all visitors to the user CSS pages.
 * --David Göthberg (talk) 22:39, 3 March 2009 (UTC)

Warning colour
I think we should perhaps change the colours and styles of this box to use the now more or less standardised pink warning notice colour. See fmbox for the style. Even though I think the message then will look more boring.

--David Göthberg (talk) 22:46, 29 October 2008 (UTC)


 * That's not a bad idea. Here's how it would look:


 * Any objections? —Remember the dot (talk) 00:08, 1 January 2009 (UTC)


 * I had forgotten about this when I stumbled on this page again today. I have now changed to the new style, since there has not been any objections. Since it is so easy to change back I think it is easier to do the change to get reactions, than to spam a lot of talk pages about it. Note that I liked the old style too, so this is merely to make our different warning messages consistent.
 * --David Göthberg (talk) 22:59, 26 February 2009 (UTC)

The warning should apply to CSS as well
The warning currently states "If this is a .js page, the code will be executed when previewing the page.". However, On Internet Explorer, CSS can execute javascript using the expression value. See CSS hack. --Nezek (talk) 17:36, 25 February 2009 (UTC)


 * Unfortunately you seem to be right about that. (And why are we not surprised that MS have added a dangerous script function to yet another program?) So I changed the last sentence in the message from:
 * If this is a .js page, the code will be executed when previewing the page.
 * To:
 * The code will be executed when previewing this page.
 * And that is kind of correct anyway, even if we don't take the Internet Explorer problem into account. Since the CSS code is executed when we preview our CSS pages here at Wikipedia. And one can do pretty unpleasant (but not really dangerous) things already with standard CSS.
 * --David Göthberg (talk) 23:07, 26 February 2009 (UTC)

Extend the message

 * It seems this change caused a bit of confusion over at Help desk and Village pump (technical).


 * I think the warning would be more accurate and helpful as something along these lines.


 * --Nezek (talk) 17:23, 28 February 2009 (UTC)


 * For future reference, here is the current version of the message (at the time I write this):


 * Nezek: Yes, I agree the current version of the message is a bit cryptic. Even for me as an ex. researcher in computer security it took some thinking to understand what the message meant the first time I saw it. But I don't entirely like your extended version:
 * 1: Computers don't execute "content", they execute "code". So I would like to change the word "content" back to "code".
 * 2: I think your version is a bit too much geek talk. I think most users will stop reading it at about "user privileges". So I would like a version somewhere between your version and the current version. Perhaps something like this:


 * 3: Of course, we could perhaps do like we have done with some other messages, we could add a (learn more) link at the end of the message. And link it to some page where we explain more in-depth. But I kind of like that the message only has a single link going to where users can ask about what this is. And that is also why I don't want the word executed to be linked.
 * 4: I like your wording "can be used to compromise" instead of "capable of compromising" since it makes it clearer that this is caused by a human attacker, not by some bug.
 * 5: I slightly dislike the wording "you can ask at the appropriate village pump". To me "appropriate" sounds like the user has to actively choose on which village pump to ask. But the link already goes to the right pump. So perhaps we could change that to something like "you can ask at the technical village pump" or simply "you can ask at the village pump". I am not sure which is the best, so I haven't changed that in my version above.
 * --David Göthberg (talk) 11:27, 1 March 2009 (UTC)


 * I see. I should explained in detail why I worded it the way I did.


 * Since this is a techy subject, there is no way to avoid explaining it in a technical manner. Thats not to say it has to be complicated for the average user, it can be explained with simple wording and internal links, just like any article on Wikipedia aspires to do.


 * The distinction between code and plain text, although valid, isn't relevant here. It will only complicate things for users that can't make that distinction. It can also be hard for expiranced users to make that distinction, if you consider the question of what qualifies as "code". In theory, a certain Gadget might be harmless, but if added in combination of specific text, it can become harmful. However, this warning is displayed for pages that contain code, so I suppose I don't object to either "code" or "content", it doesn't really matter.


 * Having links that expend on the meaning of certain terms will help users understand the situation better, and the results of their actions. They will also be more likely to ask for (and wait for) help on VP because of that. The link to "execute" is important because the word is techy and not self-explanatory.


 * That being said, I think it will be more accurate and helpful to explain the cause of the problem, user privileges, instead of the result of the problem, which is malicious content. And, since user privileges is the point of the warning, it should be marked in bold. This way, it also avoids confusion such as in Help desk that I linked to above. I don't consider "user privileges" geek talk, its pretty straight and to the point (and comes with its own link). However, if you have simpler alternatives that have the same meaning, I'll be glad to hear them. Maybe "will be granted a security clearance to your account information? it sounds so 24-like.


 * I agree with you that "appropriate" is redundant, I like "you can ask at the village pump". Cheers --Nezek (talk) 15:00, 1 March 2009 (UTC)


 * I see what you mean about "content" vs "code", but I still prefer "code". But yeah, it doesn't matter much to me either.
 * I kind of disagree about the cause of the problem, although that is more of a philosophical discussion so I'll skip that for now.
 * I think it is important to avoid the "sea of blue effect" in message boxes. Also remember that the users that most need this message are the least intelligent users who don't understand technical details. So we need to keep it very simple.
 * What this message really means is:
 * "If you don't know what you are doing here, and if you don't trust the person that asked you to do it, go ask at the village pump and you will get help."
 * It is not as important that these users understand exactly what it is about, as that they understand where to ask for help. I think that your example Help desk is a positive example. That user would probably not have been helped by links to privilege (computing) and execution (computing). He would probably just have been more confused by reading those pages. And he might even have ended up asking his question at the talk page of one of those pages linked to... Instead he got exactly the help he needed, that is some experienced users took a look and told him that all was okay. (Well, he got the help over at the help desk instead, but anyway.)
 * And again, I think that if you want a longer and more techy explanation then it should go on a separate page, say named JS and CSS security. And then we can link to that page using a (learn more) link at the end of the message. But really, it isn't that many users that find and edit their js or css pages, so unless someone really is in the mood to write the longer explanation then we can handle the occasional question over at the village pump.
 * So I guess we should wait for opinions from other users on what text and links this message should have?
 * --David Göthberg (talk) 19:50, 1 March 2009 (UTC)


 * Yes, we should wait for other users to comment.
 * As for what you said, I don't agree. Warnings are ment to inform, not scare and confuse people into asking for help. And "inexperienced" doesn't mean "not intelligent". I think that's the consensus on Wikipedia.
 * The example of Help desk shows how the mention of "malicious code" misinformed a user into thinking malicious code has been detected on the page, and that the warning is actually an alert.
 * There's no harm in directing users to get help from others, but more people would ask for help if given an explination. Even if they don't understand it, it would prompt them to ask VP for what it means. --Nezek (talk) 21:16, 1 March 2009 (UTC)


 * I don't mean to scare or confuse people. Instead I think feeding them information that they anyway can't use would be confusing (and possibly scary) for them. Since most users don't know how computer security, hacking and social engineering attacks work. The article about user privileges probably doesn't help those users at all, since it tells nothing about social engineering attacks.
 * Computer security and the specific social engineering attack we are warning about here can not be explained in a small box. Instead it takes several pages to explain. That is why I keep recommending the (learn more) link instead. That link can go to a page were you can properly explain what this is about.
 * I think the most important part here is that this box warns about social engineering attacks. So I have rearranged my suggested message box above to have your "Be watchful of code from sources you don't trust" sentence first. I really like that sentence, you formulated it very well.
 * --David Göthberg (talk) 11:24, 3 March 2009 (UTC)

Another case: unintended XSS vulnerabilities in user JavaScript
The message currently mentions only malicious user JavaScript, but an unintended cross-site scripting vulnerability in user JavaScript could also compromise the user's account. I propose to generalize the message to cover this case:

Hashproduct (talk) 22:34, 18 September 2010 (UTC)

Suggested new text
Should we change the message to:

Note that non-malicious code can contain cross-site scripting vulnerabilities. Also, it is not just the Monobook skin that executes the code when the Preview button is clicked. The Vector skin and others are affected as well. I would not say some skins if the two most popular skins are both affected. PleaseStand (talk) 03:19, 9 October 2011 (UTC)
 * Why not:


 * Anyway, I support.   Ebe 123   (+) $talk Contribs$ 11:02, 9 October 2011 (UTC)


 * Seems like a good change. The important thing is to warn users that they should be careful; I figure we should keep this message very short and to the point -- much like the text PleaseStand has suggested -- with a link to an information page for users who are curious or conscientious enough to want full technical details, such as a list of possible threats, common pitfalls, and so on. At the moment, I'm not aware of such a page, but possible candidates might include Scripts, WikiProject User scripts, WikiProject User scripts/Guide, or Help:User style. If no such page is a perfect match, we could start one. – Luna Santin  (talk) 21:22, 11 October 2011 (UTC)


 * The page claims "Execution [occurs] under Monobook, Simple, MySkin, and Chick". Not vector. Did you test? I see no point in changing this. Prodego  talk  06:22, 14 October 2011 (UTC)


 * Yes, Vector does it as well: switch to Vector (if needed), goto to special:mypage/test.js click "Create", type, click "Show preview". — AlexSm 12:58, 14 October 2011 (UTC)

Protected edit request on 27 February 2015
Uncontroversial edit request: The text  should be replaced with. This sort of complies with WP:EGG. I know the policy is for articles, but it makes sense here. Viewers should know that they would be directly taken to the appropriate village pump (not to the Village pump's main page) by clicking on the link.

SD0001 (talk) 07:41, 27 February 2015 (UTC)
 * Yes check.svg Done — Mr. Stradivarius  ♪ talk ♪ 03:23, 28 February 2015 (UTC)

Protected edit request on 2 March 2020
In T200878, a built-in "JS pages may contain malicious code" was added as MediaWiki:Userjsdangerous, which duplicates this message, which is hackily transcluded via a bunch of unrelated MediaWiki namespace pages. To clean up the system, I request:


 * 1) Move MediaWiki:Jswarning to MediaWiki:Userjsdangerous (replacing the default message with that title)
 * 2) Remove references to this message from MediaWiki:Userinvalidconfigtitle, MediaWiki:Userjsyoucanpreview and MediaWiki:Userjspreview, since all pages in which those message appear also show MediaWiki:Userjsdangerous

* Pppery * it has begun... 03:56, 2 March 2020 (UTC)


 * Others may see also MediaWiki talk:Usercsspreview. --Izno (talk) 16:20, 2 March 2020 (UTC)
 * It's not obvious to me that is even used anymore in core., did you see the same? --Izno (talk) 03:39, 5 March 2020 (UTC)
 * Jswarning was, as far as I can tell, never used in core, but instead a template created in the MediaWiki namespace for historical reasons. * Pppery * it has begun... 04:01, 5 March 2020 (UTC)
 * Yes check.svg Done Izno (talk) 04:27, 5 March 2020 (UTC)

Protected edit request on 14 April 2022
Please change the first sentence to "Any code added to this page may potentially break or compromise your account." The reason is the first sentence has awkward phrasing, and the only thing that scripts could do depends on the user's permissions. More than often an account does not get compromised by a tool but a broken script wreaks havoc on the wiki.

I'd also like to add the mention of "mw.loader.load" as that can load scripts from outside Wikipedia.org. We can mention that "if you were asked by a user to paste code here, don't do it as it may compromise your account" at the beginning. Aasim - Herrscher of Wikis 00:18, 14 April 2022 (UTC)
 * I added mw.loader.load to the list of load commands; I don't think the first sentence is awkward - "any code" doesn't have the potential to compromise an account either - only bad code. Also, we often DO tell people to most things here. — xaosflux  Talk 01:13, 14 April 2022 (UTC)