Fossil SCM
Mention TH1 tainted strings in the Custom Skins document.
Commit
2a02993a1ae67994dd2634f53c380197aa644213f311473585fc81b5c32a1255
Parent
67726b6e82882f9…
1 file changed
+11
-3
+11
-3
| --- www/customskin.md | ||
| +++ www/customskin.md | ||
| @@ -336,11 +336,12 @@ | ||
| 336 | 336 | output and is instead run as a TH1 script. That TH1 |
| 337 | 337 | script has the opportunity to insert new text in place of itself, |
| 338 | 338 | or to inhibit or enable the output of subsequent text. |
| 339 | 339 | |
| 340 | 340 | * Text of the form "$NAME" or "$<NAME>" is replaced with |
| 341 | - the value of the TH1 variable NAME. | |
| 341 | + the value of the TH1 variable NAME. See the [TH1 Variables](#vars) | |
| 342 | + section for more information on the two possible variable formats. | |
| 342 | 343 | |
| 343 | 344 | For example, first few lines of a typical Skin Header will look |
| 344 | 345 | like this: |
| 345 | 346 | |
| 346 | 347 | <div class="header"> |
| @@ -424,18 +425,25 @@ | ||
| 424 | 425 | ## <a id="vars"></a>TH1 Variables |
| 425 | 426 | |
| 426 | 427 | Before expanding the TH1 within the header and footer, Fossil first |
| 427 | 428 | initializes a number of TH1 variables to values that depend on |
| 428 | 429 | repository settings and the specific page being generated. |
| 430 | + | |
| 431 | +Variables holding text that is loaded from "external, potentially untrusted" | |
| 432 | +sources (including the repository settings) are treated as [tainted strings] | |
| 433 | +(./th1.md#taint) and must be noted in the `$<NAME>` form, instead of `$NAME`, | |
| 434 | +or they may trigger an error (see the linked document for details). | |
| 429 | 435 | |
| 430 | 436 | * **`project_name`** - The project_name variable is filled with the |
| 431 | 437 | name of the project as configured under the Admin/Configuration |
| 432 | - menu. | |
| 438 | + menu. This is a [tainted string](./th1.md#taint) variable and must | |
| 439 | + be used as `$<project_name>`. | |
| 433 | 440 | |
| 434 | 441 | * **`project_description`** - The project_description variable is |
| 435 | 442 | filled with the description of the project as configured under |
| 436 | - the Admin/Configuration menu. | |
| 443 | + the Admin/Configuration menu. This is a [tainted string] | |
| 444 | + (./th1.md#taint) variable and must be used as `$<project_description>`. | |
| 437 | 445 | |
| 438 | 446 | * **`title`** - The title variable holds the title of the page being |
| 439 | 447 | generated. |
| 440 | 448 | |
| 441 | 449 | The title variable is special in that it is deleted after |
| 442 | 450 |
| --- www/customskin.md | |
| +++ www/customskin.md | |
| @@ -336,11 +336,12 @@ | |
| 336 | output and is instead run as a TH1 script. That TH1 |
| 337 | script has the opportunity to insert new text in place of itself, |
| 338 | or to inhibit or enable the output of subsequent text. |
| 339 | |
| 340 | * Text of the form "$NAME" or "$<NAME>" is replaced with |
| 341 | the value of the TH1 variable NAME. |
| 342 | |
| 343 | For example, first few lines of a typical Skin Header will look |
| 344 | like this: |
| 345 | |
| 346 | <div class="header"> |
| @@ -424,18 +425,25 @@ | |
| 424 | ## <a id="vars"></a>TH1 Variables |
| 425 | |
| 426 | Before expanding the TH1 within the header and footer, Fossil first |
| 427 | initializes a number of TH1 variables to values that depend on |
| 428 | repository settings and the specific page being generated. |
| 429 | |
| 430 | * **`project_name`** - The project_name variable is filled with the |
| 431 | name of the project as configured under the Admin/Configuration |
| 432 | menu. |
| 433 | |
| 434 | * **`project_description`** - The project_description variable is |
| 435 | filled with the description of the project as configured under |
| 436 | the Admin/Configuration menu. |
| 437 | |
| 438 | * **`title`** - The title variable holds the title of the page being |
| 439 | generated. |
| 440 | |
| 441 | The title variable is special in that it is deleted after |
| 442 |
| --- www/customskin.md | |
| +++ www/customskin.md | |
| @@ -336,11 +336,12 @@ | |
| 336 | output and is instead run as a TH1 script. That TH1 |
| 337 | script has the opportunity to insert new text in place of itself, |
| 338 | or to inhibit or enable the output of subsequent text. |
| 339 | |
| 340 | * Text of the form "$NAME" or "$<NAME>" is replaced with |
| 341 | the value of the TH1 variable NAME. See the [TH1 Variables](#vars) |
| 342 | section for more information on the two possible variable formats. |
| 343 | |
| 344 | For example, first few lines of a typical Skin Header will look |
| 345 | like this: |
| 346 | |
| 347 | <div class="header"> |
| @@ -424,18 +425,25 @@ | |
| 425 | ## <a id="vars"></a>TH1 Variables |
| 426 | |
| 427 | Before expanding the TH1 within the header and footer, Fossil first |
| 428 | initializes a number of TH1 variables to values that depend on |
| 429 | repository settings and the specific page being generated. |
| 430 | |
| 431 | Variables holding text that is loaded from "external, potentially untrusted" |
| 432 | sources (including the repository settings) are treated as [tainted strings] |
| 433 | (./th1.md#taint) and must be noted in the `$<NAME>` form, instead of `$NAME`, |
| 434 | or they may trigger an error (see the linked document for details). |
| 435 | |
| 436 | * **`project_name`** - The project_name variable is filled with the |
| 437 | name of the project as configured under the Admin/Configuration |
| 438 | menu. This is a [tainted string](./th1.md#taint) variable and must |
| 439 | be used as `$<project_name>`. |
| 440 | |
| 441 | * **`project_description`** - The project_description variable is |
| 442 | filled with the description of the project as configured under |
| 443 | the Admin/Configuration menu. This is a [tainted string] |
| 444 | (./th1.md#taint) variable and must be used as `$<project_description>`. |
| 445 | |
| 446 | * **`title`** - The title variable holds the title of the page being |
| 447 | generated. |
| 448 | |
| 449 | The title variable is special in that it is deleted after |
| 450 |