On Fri, Jan 30, 2015 at 4:04 PM, Brion Vibber <[email protected]> wrote:
> On Fri, Jan 30, 2015 at 12:11 PM, Jackmcbarn <[email protected]> wrote: > > On Fri, Jan 30, 2015 at 2:02 PM, Brion Vibber <[email protected]> > > wrote: > > > I'd be inclined to unstrip the marker *and squash HTML to plaintext*, > > then > > > encode the plaintext... > > > > I don't see how that addresses the security issue. > > Rollback tokens in the Special:Contributions HTML would then not be > available in the squashed text that got encoded. Thus it could not be > extracted and used in the timing attack. > While it would avoid *this* bug, it would still allow the attack if there is ever sensitive data on some transcludable special page that isn't embedded in HTML tag attributes. -- Brad Jorsch (Anomie) Software Engineer Wikimedia Foundation _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
