Fossil SCM
Fix the version numbers in the new documentation on tainted strings.
Commit
807b73e6b52bbc7fdf73482412aad9c51ee09f0eadb56a021ad36573e8b98158
Parent
90b63bc5d142d1e…
1 file changed
+3
-3
+3
-3
| --- www/th1.md | ||
| +++ www/th1.md | ||
| @@ -110,17 +110,17 @@ | ||
| 110 | 110 | lines as a single command. |
| 111 | 111 | |
| 112 | 112 | <a id="taint"></a>Tainted And Untainted Strings |
| 113 | 113 | ----------------------------------------------- |
| 114 | 114 | |
| 115 | -Beginning with Fossil version 2.25 (circa 2025), TH1 distinguishes between | |
| 115 | +Beginning with Fossil version 2.26 (circa 2025), TH1 distinguishes between | |
| 116 | 116 | "tainted" and "untainted" strings. Tainted strings are strings that are |
| 117 | 117 | derived from user inputs that might contain text that is designed to subvert |
| 118 | 118 | the script. Untainted strings are known to come from secure sources and |
| 119 | 119 | are assumed to contain no malicious content. |
| 120 | 120 | |
| 121 | -Beginning with Fossil version 2.25, and depending on the value of the | |
| 121 | +Beginning with Fossil version 2.26, and depending on the value of the | |
| 122 | 122 | [vuln-report setting](/help?cmd=vuln-report), TH1 will prevent tainted |
| 123 | 123 | strings from being used in ways that might lead to XSS or SQL-injection |
| 124 | 124 | attacks. This feature helps to ensure that XSS and SQL-injection |
| 125 | 125 | vulnerabilities are not *accidentally* added to Fossil when |
| 126 | 126 | custom TH1 scripts for headers or footers or tickets are added to a |
| @@ -130,11 +130,11 @@ | ||
| 130 | 130 | less likely to happen by accident. Developers must still consider the |
| 131 | 131 | security implications TH1 customizations they add to Fossil, and take |
| 132 | 132 | appropriate precautions when writing custom TH1. Peer review of TH1 |
| 133 | 133 | script changes is encouraged. |
| 134 | 134 | |
| 135 | -In Fossil version 2.25, if the vuln-report setting is set to "block" | |
| 135 | +In Fossil version 2.26, if the vuln-report setting is set to "block" | |
| 136 | 136 | or "fatal", the [html](#html) and [query](#query) TH1 commands will |
| 137 | 137 | fail with an error if their argument is a tainted string. This helps |
| 138 | 138 | to prevent XSS and SQL-injection attacks, respectively. Note that |
| 139 | 139 | the default value of the vuln-report setting is "log", which allows those |
| 140 | 140 | commands to continue working and only writes a warning message into the |
| 141 | 141 |
| --- www/th1.md | |
| +++ www/th1.md | |
| @@ -110,17 +110,17 @@ | |
| 110 | lines as a single command. |
| 111 | |
| 112 | <a id="taint"></a>Tainted And Untainted Strings |
| 113 | ----------------------------------------------- |
| 114 | |
| 115 | Beginning with Fossil version 2.25 (circa 2025), TH1 distinguishes between |
| 116 | "tainted" and "untainted" strings. Tainted strings are strings that are |
| 117 | derived from user inputs that might contain text that is designed to subvert |
| 118 | the script. Untainted strings are known to come from secure sources and |
| 119 | are assumed to contain no malicious content. |
| 120 | |
| 121 | Beginning with Fossil version 2.25, and depending on the value of the |
| 122 | [vuln-report setting](/help?cmd=vuln-report), TH1 will prevent tainted |
| 123 | strings from being used in ways that might lead to XSS or SQL-injection |
| 124 | attacks. This feature helps to ensure that XSS and SQL-injection |
| 125 | vulnerabilities are not *accidentally* added to Fossil when |
| 126 | custom TH1 scripts for headers or footers or tickets are added to a |
| @@ -130,11 +130,11 @@ | |
| 130 | less likely to happen by accident. Developers must still consider the |
| 131 | security implications TH1 customizations they add to Fossil, and take |
| 132 | appropriate precautions when writing custom TH1. Peer review of TH1 |
| 133 | script changes is encouraged. |
| 134 | |
| 135 | In Fossil version 2.25, if the vuln-report setting is set to "block" |
| 136 | or "fatal", the [html](#html) and [query](#query) TH1 commands will |
| 137 | fail with an error if their argument is a tainted string. This helps |
| 138 | to prevent XSS and SQL-injection attacks, respectively. Note that |
| 139 | the default value of the vuln-report setting is "log", which allows those |
| 140 | commands to continue working and only writes a warning message into the |
| 141 |
| --- www/th1.md | |
| +++ www/th1.md | |
| @@ -110,17 +110,17 @@ | |
| 110 | lines as a single command. |
| 111 | |
| 112 | <a id="taint"></a>Tainted And Untainted Strings |
| 113 | ----------------------------------------------- |
| 114 | |
| 115 | Beginning with Fossil version 2.26 (circa 2025), TH1 distinguishes between |
| 116 | "tainted" and "untainted" strings. Tainted strings are strings that are |
| 117 | derived from user inputs that might contain text that is designed to subvert |
| 118 | the script. Untainted strings are known to come from secure sources and |
| 119 | are assumed to contain no malicious content. |
| 120 | |
| 121 | Beginning with Fossil version 2.26, and depending on the value of the |
| 122 | [vuln-report setting](/help?cmd=vuln-report), TH1 will prevent tainted |
| 123 | strings from being used in ways that might lead to XSS or SQL-injection |
| 124 | attacks. This feature helps to ensure that XSS and SQL-injection |
| 125 | vulnerabilities are not *accidentally* added to Fossil when |
| 126 | custom TH1 scripts for headers or footers or tickets are added to a |
| @@ -130,11 +130,11 @@ | |
| 130 | less likely to happen by accident. Developers must still consider the |
| 131 | security implications TH1 customizations they add to Fossil, and take |
| 132 | appropriate precautions when writing custom TH1. Peer review of TH1 |
| 133 | script changes is encouraged. |
| 134 | |
| 135 | In Fossil version 2.26, if the vuln-report setting is set to "block" |
| 136 | or "fatal", the [html](#html) and [query](#query) TH1 commands will |
| 137 | fail with an error if their argument is a tainted string. This helps |
| 138 | to prevent XSS and SQL-injection attacks, respectively. Note that |
| 139 | the default value of the vuln-report setting is "log", which allows those |
| 140 | commands to continue working and only writes a warning message into the |
| 141 |