Source code added for toolforge tool_srish(wikimedia) #1
Conversation
index.html
Outdated
| <head> | ||
| <title>index</title> | ||
| <meta charset="utf-8"/> | ||
| <link href="https://fonts.googleapis.com/css?family=Roboto" rel="stylesheet"> |
There was a problem hiding this comment.
We try to avoid using third-party resources as that means sending personally identifiable information (IP addresses, at least) to those servers. You can probably use https://tools.wmflabs.org/fontcdn/ instead; if not, you can always self-host. (Same goes for external JS libraries vs. https://tools.wmflabs.org/cdnjs/ )
There was a problem hiding this comment.
url of Roboto font stylesheet and jquery script has been updated.
index.js
Outdated
| event.preventDefault(); | ||
| $("#output").empty(); | ||
| var username = searchTerm.val(); | ||
| var url = 'https://en.wikipedia.org/w/api.php?origin=*&action=query&format=json&list=usercontribs&ucuser={{searchTerm}}&ucdir=newer&uclimit=5&callback=?'.replace('{{searchTerm}}', username); |
There was a problem hiding this comment.
If you want to use template-like notation (which is nice) but don't want to pull in a templating library just because of that (which is reasonable), you could write a simple helper function to do the replacement.
Whether you do that or not, make sure to add proper escaping. Usernames can't contain HTML but they can contain special characters like & or ? (and it's good practice to assume they could contain anything, anyway).
There was a problem hiding this comment.
Also, there isn't much point in using both origin=* (which is for CORS) and callback=? (which forces the request to be JSONP).
There was a problem hiding this comment.
can you please give some examples on proper escaping about what data has to be prevented?
callback=? has been removed , further origin=* is to test the project locally.
There was a problem hiding this comment.
Let's say the user is called A&B, then the URL would be + var url = 'https://en.wikipedia.org/w/api.php?origin=*&action=query&format=json&list=usercontribs&ucuser=A&B&ucdir=newer&uclimit=5. A webserver will interpret that like
origin => * action => query format => json list => usercontribs ucuser => A B => ucdir => newer uclimit => 5
which refers to a different user.
There was a problem hiding this comment.
@tgr sir,
I have updated my js file and resolved this issue using encodeURI function .Please review it.
Due to some technical issue I could not upload my file on time , sorry for the delay.
|
The escaping happens too late, you should only escape the username. I don't think it will work like this. Also, use Looks good otherwise; note though that putting the script on Toolforge is part of the task. |
@tgr
Please review the code. Its the wikimedia_toolforge tool for displaying the recent wikipedia edits.