Thread:LunaStar724/@comment-188432-20180814042707

Heya :) Thanks for submitting your recent revisions to MediaWiki:Common.js.

Out of an abundance of caution, I'm gonna reject the most recent one, though. Using innerHTML is always a bit tricky in terms of XSS vulnerability. Tying it to an un-sanitised h2 is even riskier, in my view. I'm pretty sure it'd be possible for someone to put harmful script into a simple h2 that would then be successfully injected back into the wiki via the communityBoatCount variable. If you're really into the idea of it being an h2, a safer method might be to escape/sanitise that variable in the innerHTML statement. That way, if someone found a way of manually adding an h2 with this ID, it still would parse harmlessly. 