Author: russblau
Description:
patch to mediawiki.api.js to handle edit tokens
It is recommended at [[mw:API:Edit#Token]] that the "token" parameter in an edit request should be passed to the server last. This is a safety measure in case transmission of the HTML request to the server is interrupted; the server will not process an incomplete request because there will be no token. (Conversely, if the "text=" parameter were last, the server would have no way of knowing whether the complete text had been received.) Presumably the same thing is necessary for action=email, since the request may include text of arbitrary length.
The attached patch (not tested) moves any parameter named "token" to the end of the request; this is possibly over-inclusive (it will apply to things like "action=watch" where there is no text field in the request) but I can't see how it can do any harm.
Version: 1.19
Severity: minor
Attached: