promises[ defaultOptions.ajax.url ] = {};
$.each( mw.user.tokens.get(), function ( key, value ) {
// This requires #getToken to use the same key as user.tokens.
- // Format: token-type + "Token" (eg. editToken, patrolToken, watchToken).
+ // Format: token-type + "Token" (eg. csrfToken, patrolToken, watchToken).
promises[ defaultOptions.ajax.url ][ key ] = $.Deferred()
.resolve( value )
.promise( { abort: function () {} } );
// Prevent jQuery from overriding the Content-Type header
ajaxOptions.contentType = false;
} else {
- // Some deployed MediaWiki >= 1.17 forbid periods in URLs, due to an IE XSS bug
- // So let's escape them here. See bug #28235
// This works because jQuery accepts data as a query string or as an Object
- ajaxOptions.data = $.param( parameters ).replace( /\./g, '%2E' );
-
+ ajaxOptions.data = $.param( parameters );
// If we extracted a token parameter, add it back in.
if ( token ) {
ajaxOptions.data += '&token=' + encodeURIComponent( token );
}
+ // Depending on server configuration, MediaWiki may forbid periods in URLs, due to an IE 6
+ // XSS bug. So let's escape them here. See WebRequest::checkUrlExtension() and T30235.
+ ajaxOptions.data = ajaxOptions.data.replace( /\./g, '%2E' );
+
if ( ajaxOptions.contentType === 'multipart/form-data' ) {
// We were asked to emulate but can't, so drop the Content-Type header, otherwise
// it'll be wrong and the server will fail to decode the POST body
* If we have a cached token try using that, and if it fails, blank out the
* cached token and start over. For example to change an user option you could do:
*
- * new mw.Api().postWithToken( 'options', {
+ * new mw.Api().postWithToken( 'csrf', {
* action: 'options',
* optionname: 'gender',
* optionvalue: 'female'