Fossil SCM

Update the default ticket configuration to avoid sending out text that seems tainted. There are no actual XSS issues here, but these changes do add an extra margin of safety.

drh 2025-04-19 19:18 th1-taint

Commit 5d17ced68dabdda9c5905864e7cb6af9350c54b70dd319f8e3b6e009fc40603b

Parent 2742682720c692c…

1 file changed +13 -13

~ src/tktsetup.c

M src/tktsetup.c

+13 -13

		--- src/tktsetup.c
		+++ src/tktsetup.c
		@@ -481,11 +481,11 @@
481	481	@ <th1>
482	482	@ if {[info exists tkt_uuid]} {
483	483	@ html "<td class='tktDspValue' colspan='3'>"
484	484	@ copybtn hash-tk 0 $tkt_uuid 2
485	485	@ if {[hascap s]} {
486		-@ html " ($tkt_id)"
	486	+@ puts " ($tkt_id)"
487	487	@ }
488	488	@ html "</td></tr>\n"
489	489	@ } else {
490	490	@ if {[hascap s]} {
491	491	@ html "<td class='tktDspValue' colspan='3'>Deleted "
		@@ -522,24 +522,24 @@
522	522	@ $<resolution>
523	523	@ </td></tr>
524	524	@ <tr><td class="tktDspLabel">Last Modified:</td><td class="tktDspValue">
525	525	@ <th1>
526	526	@ if {[info exists tkt_datetime]} {
527		-@ html $tkt_datetime
	527	+@ puts $tkt_datetime
528	528	@ }
529	529	@ if {[info exists tkt_mage]} {
530		-@ html "<br>$tkt_mage"
	530	+@ html "<br>[htmlize $tkt_mage] ago"
531	531	@ }
532	532	@ </th1>
533	533	@ </td>
534	534	@ <td class="tktDspLabel">Created:</td><td class="tktDspValue">
535	535	@ <th1>
536	536	@ if {[info exists tkt_datetime_creation]} {
537		-@ html $tkt_datetime_creation
	537	+@ puts $tkt_datetime_creation
538	538	@ }
539	539	@ if {[info exists tkt_cage]} {
540		-@ html "<br>$tkt_cage"
	540	+@ html "<br>[htmlize $tkt_cage] ago"
541	541	@ }
542	542	@ </th1>
543	543	@ </td></tr>
544	544	@ <th1>enable_output [hascap e]</th1>
545	545	@ <tr>
		@@ -614,19 +614,19 @@
614	614	@ html "User Comments:</td></tr>\n"
615	615	@ html "<tr><td colspan='5' class='tktDspValue'>\n"
616	616	@ set seenRow 1
617	617	@ }
618	618	@ html "<span class='tktDspCommenter'>"
619		-@ html "[htmlize $xlogin]"
	619	+@ puts $xlogin
620	620	@ if {$xlogin ne $xusername && [string length $xusername]>0} {
621		-@ html " (claiming to be [htmlize $xusername])"
	621	+@ puts " (claiming to be $xusername)"
622	622	@ }
623		-@ html " added on $xdate:"
	623	+@ puts " added on $xdate:"
624	624	@ html "</span>\n"
625	625	@ if {$alwaysPlaintext \|\| $xmimetype eq "text/plain"} {
626	626	@ set r [randhex]
627		-@ if {$xmimetype ne "text/plain"} {html "([htmlize $xmimetype])\n"}
	627	+@ if {$xmimetype ne "text/plain"} {puts "($xmimetype)\n"}
628	628	@ wiki "<verbatim-$r>[string trimright $xcomment]</verbatim-$r>\n"
629	629	@ } elseif {$xmimetype eq "text/x-fossil-wiki"} {
630	630	@ wiki "<p>\n[string trimright $xcomment]\n</p>\n"
631	631	@ } elseif {$xmimetype eq "text/x-markdown"} {
632	632	@ html [lindex [markdown $xcomment] 1]
		@@ -801,19 +801,19 @@
801	801	@ html "Previous User Comments:</td></tr>\n"
802	802	@ html "<tr><td colspan='2' class='tktDspValue'>\n"
803	803	@ set seenRow 1
804	804	@ }
805	805	@ html "<span class='tktDspCommenter'>"
806		-@ html "[htmlize $xlogin]"
	806	+@ puts $xlogin
807	807	@ if {$xlogin ne $xusername && [string length $xusername]>0} {
808		-@ html " (claiming to be [htmlize $xusername])"
	808	+@ puts " (claiming to be $xusername)"
809	809	@ }
810		-@ html " added on $xdate:"
	810	+@ puts " added on $xdate:"
811	811	@ html "</span>\n"
812	812	@ if {$alwaysPlaintext \|\| $xmimetype eq "text/plain"} {
813	813	@ set r [randhex]
814		-@ if {$xmimetype ne "text/plain"} {html "([htmlize $xmimetype])\n"}
	814	+@ if {$xmimetype ne "text/plain"} {puts "($xmimetype)\n"}
815	815	@ wiki "<verbatim-$r>[string trimright $xcomment]</verbatim-$r>\n"
816	816	@ } elseif {$xmimetype eq "text/x-fossil-wiki"} {
817	817	@ wiki "<p>\n[string trimright $xcomment]\n</p>\n"
818	818	@ } elseif {$xmimetype eq "text/x-markdown"} {
819	819	@ html [lindex [markdown $xcomment] 1]
820	820

	--- src/tktsetup.c
	+++ src/tktsetup.c
	@@ -481,11 +481,11 @@
481	@ <th1>
482	@ if {[info exists tkt_uuid]} {
483	@ html "<td class='tktDspValue' colspan='3'>"
484	@ copybtn hash-tk 0 $tkt_uuid 2
485	@ if {[hascap s]} {
486	@ html " ($tkt_id)"
487	@ }
488	@ html "</td></tr>\n"
489	@ } else {
490	@ if {[hascap s]} {
491	@ html "<td class='tktDspValue' colspan='3'>Deleted "
	@@ -522,24 +522,24 @@
522	@ $<resolution>
523	@ </td></tr>
524	@ <tr><td class="tktDspLabel">Last Modified:</td><td class="tktDspValue">
525	@ <th1>
526	@ if {[info exists tkt_datetime]} {
527	@ html $tkt_datetime
528	@ }
529	@ if {[info exists tkt_mage]} {
530	@ html "<br>$tkt_mage"
531	@ }
532	@ </th1>
533	@ </td>
534	@ <td class="tktDspLabel">Created:</td><td class="tktDspValue">
535	@ <th1>
536	@ if {[info exists tkt_datetime_creation]} {
537	@ html $tkt_datetime_creation
538	@ }
539	@ if {[info exists tkt_cage]} {
540	@ html "<br>$tkt_cage"
541	@ }
542	@ </th1>
543	@ </td></tr>
544	@ <th1>enable_output [hascap e]</th1>
545	@ <tr>
	@@ -614,19 +614,19 @@
614	@ html "User Comments:</td></tr>\n"
615	@ html "<tr><td colspan='5' class='tktDspValue'>\n"
616	@ set seenRow 1
617	@ }
618	@ html "<span class='tktDspCommenter'>"
619	@ html "[htmlize $xlogin]"
620	@ if {$xlogin ne $xusername && [string length $xusername]>0} {
621	@ html " (claiming to be [htmlize $xusername])"
622	@ }
623	@ html " added on $xdate:"
624	@ html "</span>\n"
625	@ if {$alwaysPlaintext \|\| $xmimetype eq "text/plain"} {
626	@ set r [randhex]
627	@ if {$xmimetype ne "text/plain"} {html "([htmlize $xmimetype])\n"}
628	@ wiki "<verbatim-$r>[string trimright $xcomment]</verbatim-$r>\n"
629	@ } elseif {$xmimetype eq "text/x-fossil-wiki"} {
630	@ wiki "<p>\n[string trimright $xcomment]\n</p>\n"
631	@ } elseif {$xmimetype eq "text/x-markdown"} {
632	@ html [lindex [markdown $xcomment] 1]
	@@ -801,19 +801,19 @@
801	@ html "Previous User Comments:</td></tr>\n"
802	@ html "<tr><td colspan='2' class='tktDspValue'>\n"
803	@ set seenRow 1
804	@ }
805	@ html "<span class='tktDspCommenter'>"
806	@ html "[htmlize $xlogin]"
807	@ if {$xlogin ne $xusername && [string length $xusername]>0} {
808	@ html " (claiming to be [htmlize $xusername])"
809	@ }
810	@ html " added on $xdate:"
811	@ html "</span>\n"
812	@ if {$alwaysPlaintext \|\| $xmimetype eq "text/plain"} {
813	@ set r [randhex]
814	@ if {$xmimetype ne "text/plain"} {html "([htmlize $xmimetype])\n"}
815	@ wiki "<verbatim-$r>[string trimright $xcomment]</verbatim-$r>\n"
816	@ } elseif {$xmimetype eq "text/x-fossil-wiki"} {
817	@ wiki "<p>\n[string trimright $xcomment]\n</p>\n"
818	@ } elseif {$xmimetype eq "text/x-markdown"} {
819	@ html [lindex [markdown $xcomment] 1]
820

	--- src/tktsetup.c
	+++ src/tktsetup.c
	@@ -481,11 +481,11 @@
481	@ <th1>
482	@ if {[info exists tkt_uuid]} {
483	@ html "<td class='tktDspValue' colspan='3'>"
484	@ copybtn hash-tk 0 $tkt_uuid 2
485	@ if {[hascap s]} {
486	@ puts " ($tkt_id)"
487	@ }
488	@ html "</td></tr>\n"
489	@ } else {
490	@ if {[hascap s]} {
491	@ html "<td class='tktDspValue' colspan='3'>Deleted "
	@@ -522,24 +522,24 @@
522	@ $<resolution>
523	@ </td></tr>
524	@ <tr><td class="tktDspLabel">Last Modified:</td><td class="tktDspValue">
525	@ <th1>
526	@ if {[info exists tkt_datetime]} {
527	@ puts $tkt_datetime
528	@ }
529	@ if {[info exists tkt_mage]} {
530	@ html "<br>[htmlize $tkt_mage] ago"
531	@ }
532	@ </th1>
533	@ </td>
534	@ <td class="tktDspLabel">Created:</td><td class="tktDspValue">
535	@ <th1>
536	@ if {[info exists tkt_datetime_creation]} {
537	@ puts $tkt_datetime_creation
538	@ }
539	@ if {[info exists tkt_cage]} {
540	@ html "<br>[htmlize $tkt_cage] ago"
541	@ }
542	@ </th1>
543	@ </td></tr>
544	@ <th1>enable_output [hascap e]</th1>
545	@ <tr>
	@@ -614,19 +614,19 @@
614	@ html "User Comments:</td></tr>\n"
615	@ html "<tr><td colspan='5' class='tktDspValue'>\n"
616	@ set seenRow 1
617	@ }
618	@ html "<span class='tktDspCommenter'>"
619	@ puts $xlogin
620	@ if {$xlogin ne $xusername && [string length $xusername]>0} {
621	@ puts " (claiming to be $xusername)"
622	@ }
623	@ puts " added on $xdate:"
624	@ html "</span>\n"
625	@ if {$alwaysPlaintext \|\| $xmimetype eq "text/plain"} {
626	@ set r [randhex]
627	@ if {$xmimetype ne "text/plain"} {puts "($xmimetype)\n"}
628	@ wiki "<verbatim-$r>[string trimright $xcomment]</verbatim-$r>\n"
629	@ } elseif {$xmimetype eq "text/x-fossil-wiki"} {
630	@ wiki "<p>\n[string trimright $xcomment]\n</p>\n"
631	@ } elseif {$xmimetype eq "text/x-markdown"} {
632	@ html [lindex [markdown $xcomment] 1]
	@@ -801,19 +801,19 @@
801	@ html "Previous User Comments:</td></tr>\n"
802	@ html "<tr><td colspan='2' class='tktDspValue'>\n"
803	@ set seenRow 1
804	@ }
805	@ html "<span class='tktDspCommenter'>"
806	@ puts $xlogin
807	@ if {$xlogin ne $xusername && [string length $xusername]>0} {
808	@ puts " (claiming to be $xusername)"
809	@ }
810	@ puts " added on $xdate:"
811	@ html "</span>\n"
812	@ if {$alwaysPlaintext \|\| $xmimetype eq "text/plain"} {
813	@ set r [randhex]
814	@ if {$xmimetype ne "text/plain"} {puts "($xmimetype)\n"}
815	@ wiki "<verbatim-$r>[string trimright $xcomment]</verbatim-$r>\n"
816	@ } elseif {$xmimetype eq "text/x-fossil-wiki"} {
817	@ wiki "<p>\n[string trimright $xcomment]\n</p>\n"
818	@ } elseif {$xmimetype eq "text/x-markdown"} {
819	@ html [lindex [markdown $xcomment] 1]
820

Fossil SCM

Keyboard Shortcuts