User blog comment:TechKon/Problem/@comment-2033667-20150811073206

Looking over the announcement quickly, it looks like the change is not permanent. We're just going to have to live with it for now :(

I'm surprised that the attack had such a small effect and didn't occur sooner. With user JavaScript, it's possible to create a virus that can be spread by an administrator on one Wikia merely visiting an infected Wikia. With further trickery it can hide edits from WikiActivity and RecentChanges to make the infection completely silent. An attacker who does this can essentially run whatever script they want on whoever they want. They can make edits under anyone's name and collect IP addresses.

The fundamental problem is JavaScript. JavaScript from untrusted sources is a security nightmare. That's why we have software like ADsafe and Caja to allow running programs in secure environments.