This page is using non-configuration globals which will be deprecated and removed in the future. I think this page should be updated to remove their uses.
Talk:Security checklist for developers
Manual:Messages API#Output modes and escaping has some advice, might be good to copy/merge in here?
There are no older topics