Fossil SCM
Improved comments on the safe_html_nonce() routine.
Commit
dfa0eee7b85a6f35bb1223baf79a0e9128db696adfc4f34dc5695b673116635e
Parent
a0ef47e79fec07f…
1 file changed
+18
-1
+18
-1
| --- src/wikiformat.c | ||
| +++ src/wikiformat.c | ||
| @@ -2578,11 +2578,28 @@ | ||
| 2578 | 2578 | } |
| 2579 | 2579 | }while( e!=eEnd && p->n>0 ); |
| 2580 | 2580 | } |
| 2581 | 2581 | |
| 2582 | 2582 | /* |
| 2583 | -** Return a nonce to indicate safe-html can allow code through | |
| 2583 | +** Return a nonce to indicate that safe_html() can allow code through | |
| 2584 | +** without censoring. | |
| 2585 | +** | |
| 2586 | +** When safe_html() is asked to sanitize some HTML, it will ignore | |
| 2587 | +** any text in between two consecutive instances of the nonce. The | |
| 2588 | +** nonce itself is an HTML comment so it is harmless to keep the | |
| 2589 | +** nonce in the middle of the HTML stream. A different nonce is | |
| 2590 | +** choosen each time Fossil is run, using a lot of randomness, so | |
| 2591 | +** an attacker will be unable to guess the nonce in advance. | |
| 2592 | +** | |
| 2593 | +** The original use-case for this mechanism is to allow Pikchr-generated | |
| 2594 | +** SVG in the middle of HTML generated from Markdown. The Markdown | |
| 2595 | +** output will normally be processed by safe_html() to prevent accidental | |
| 2596 | +** or malicious introduction of harmful HTML (ex: <script>) in the | |
| 2597 | +** output stream. The safe_html() only lets through HTML elements | |
| 2598 | +** that are on its allow-list and SVG is not on that list. Hence, in order | |
| 2599 | +** to allow the Pikchr-generated SVG through, it must be surrounded by | |
| 2600 | +** the nonce. | |
| 2584 | 2601 | */ |
| 2585 | 2602 | const char *safe_html_nonce(int bGenerate){ |
| 2586 | 2603 | static char *zNonce = 0; |
| 2587 | 2604 | if( zNonce==0 && bGenerate ){ |
| 2588 | 2605 | zNonce = db_text(0, "SELECT '<!--'||hex(randomblob(32))||'-->';"); |
| 2589 | 2606 |
| --- src/wikiformat.c | |
| +++ src/wikiformat.c | |
| @@ -2578,11 +2578,28 @@ | |
| 2578 | } |
| 2579 | }while( e!=eEnd && p->n>0 ); |
| 2580 | } |
| 2581 | |
| 2582 | /* |
| 2583 | ** Return a nonce to indicate safe-html can allow code through |
| 2584 | */ |
| 2585 | const char *safe_html_nonce(int bGenerate){ |
| 2586 | static char *zNonce = 0; |
| 2587 | if( zNonce==0 && bGenerate ){ |
| 2588 | zNonce = db_text(0, "SELECT '<!--'||hex(randomblob(32))||'-->';"); |
| 2589 |
| --- src/wikiformat.c | |
| +++ src/wikiformat.c | |
| @@ -2578,11 +2578,28 @@ | |
| 2578 | } |
| 2579 | }while( e!=eEnd && p->n>0 ); |
| 2580 | } |
| 2581 | |
| 2582 | /* |
| 2583 | ** Return a nonce to indicate that safe_html() can allow code through |
| 2584 | ** without censoring. |
| 2585 | ** |
| 2586 | ** When safe_html() is asked to sanitize some HTML, it will ignore |
| 2587 | ** any text in between two consecutive instances of the nonce. The |
| 2588 | ** nonce itself is an HTML comment so it is harmless to keep the |
| 2589 | ** nonce in the middle of the HTML stream. A different nonce is |
| 2590 | ** choosen each time Fossil is run, using a lot of randomness, so |
| 2591 | ** an attacker will be unable to guess the nonce in advance. |
| 2592 | ** |
| 2593 | ** The original use-case for this mechanism is to allow Pikchr-generated |
| 2594 | ** SVG in the middle of HTML generated from Markdown. The Markdown |
| 2595 | ** output will normally be processed by safe_html() to prevent accidental |
| 2596 | ** or malicious introduction of harmful HTML (ex: <script>) in the |
| 2597 | ** output stream. The safe_html() only lets through HTML elements |
| 2598 | ** that are on its allow-list and SVG is not on that list. Hence, in order |
| 2599 | ** to allow the Pikchr-generated SVG through, it must be surrounded by |
| 2600 | ** the nonce. |
| 2601 | */ |
| 2602 | const char *safe_html_nonce(int bGenerate){ |
| 2603 | static char *zNonce = 0; |
| 2604 | if( zNonce==0 && bGenerate ){ |
| 2605 | zNonce = db_text(0, "SELECT '<!--'||hex(randomblob(32))||'-->';"); |
| 2606 |