The term "attack" doesn't always imply malice; it can be inadvertent, and the consequences aren't always threatening. If someone decides to put single quotes in a tag or branch name, it shouldn't result in bad HTML giving a mildly scrambled page. I'll investigate Fossil's exposure when I have time.
Please do note that Fossil is already trying to avoid negative effects of having double quotes show up in attributes. Why should it not do the same for single quotes? Especially consider that it seems to use single-quoted attributes more than it does double quotes, so I argue that if for some arbitrary reason Fossil can only protect one kind of quote character, it should choose single quotes. On May 20, 2015 1:31 PM, "Stephan Beal" <sgb...@googlemail.com> wrote: > On Wed, May 20, 2015 at 8:16 PM, Andy Goth <andrew.m.g...@gmail.com> > wrote: > >> On 5/20/2015 12:56 PM, Stephan Beal wrote: >> > Of what kind? >> > >> > (please excuse brevity - left hand is currently bandaged) >> >> The linked article gives examples. Repeating: >> >> http://wonko.com/post/html-escaping > > > i would need to be shown a viable "attack" on fossil before believing it. > Sure, someone could try it, but i'm not convinced that there is an attack > which could negatively affect the repo (only, at most, the malicious user's > ability to use it). Comparing php-based code (as that article does) to > Fossil's internal string-generation code is an apples/oranges comparison. > > i of course cannot rule out that such attacks theoretically exist, but > would have to be shown one to believe it. > > -- > ----- stephan beal > http://wanderinghorse.net/home/stephan/ > http://gplus.to/sgbeal > "Freedom is sloppy. But since tyranny's the only guaranteed byproduct of > those who insist on a perfect world, freedom will have to do." -- Bigby Wolf > > _______________________________________________ > fossil-dev mailing list > fossil-dev@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/fossil-dev > >
_______________________________________________ fossil-dev mailing list fossil-dev@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/fossil-dev
