On Mon, Nov 12, 2012 at 3:24 PM, Jeff King p...@peff.net wrote:
On Mon, Nov 12, 2012 at 01:55:46PM -0500, Drew Northup wrote:
On Sun, Nov 11, 2012 at 6:28 PM, glpk xypron xypron.g...@gmx.de wrote:
Gitweb can be used to generate an RSS feed.
Arbitrary tags can be inserted into the XML
On Tue, Nov 13, 2012 at 3:44 PM, Drew Northup n1xim.em...@gmail.com wrote:
On Mon, Nov 12, 2012 at 3:24 PM, Jeff King p...@peff.net wrote:
On Mon, Nov 12, 2012 at 01:55:46PM -0500, Drew Northup wrote:
+ # No XSS script/script inclusions
+ if ($input =~ m!(script)(.*)(/script)!){
The problem with input filtering is that you can only filter for one
output scenario. What if the the input is going to be output in a wiki
like environment, or to pdf, or whatever? Then you have to unescape
the data again, and maybe apply filtering/escaping for those
environments.
You only know
On Tue, Nov 13, 2012 at 4:45 PM, Kevin i...@ikke.info wrote:
The problem with input filtering is that you can only filter for one
output scenario. What if the the input is going to be output in a wiki
like environment, or to pdf, or whatever? Then you have to unescape
the data again, and maybe
On Tue, Nov 13, 2012 at 09:44:06AM -0500, Drew Northup wrote:
I don't buy the argument that we don't need to clean up the input as
well. There are scant few of us that are going to name a file
scriptalert(Something Awful)/script in this world (I am
probably one of them). Input validation is
On Tue, Nov 13, 2012 at 6:04 PM, Jeff King p...@peff.net wrote:
On Tue, Nov 13, 2012 at 09:44:06AM -0500, Drew Northup wrote:
Besides, inserting one call to esc_html only fixes one attack path. I
didn't look to see if all others were already covered.
Properly quoting output is something that
On Mon, Nov 12, 2012 at 03:24:13PM -0500, Jeff King wrote:
I think the right answer is going to be a well-placed call to esc_html.
I'm guessing the right answer is this:
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 10ed9e5..a51a8ba 100755
--- a/gitweb/gitweb.perl
+++
Jeff King p...@peff.net writes:
On Mon, Nov 12, 2012 at 03:24:13PM -0500, Jeff King wrote:
I think the right answer is going to be a well-placed call to esc_html.
I'm guessing the right answer is this:
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 10ed9e5..a51a8ba 100755
---
Drew Northup n1xim.em...@gmail.com writes:
Something like this may be useful to defuse the file parameter, but
I presume a more definitive fix is in order...
A proper fix will have to add esc_html to the feed generation, something
like this (untested):
diff --git a/gitweb/gitweb.perl
9 matches
Mail list logo
