Fossil SCM
Comments are not properly escaped when displayed through the Web UI
8e5a24b49fcf5bc…
· opened 14 years, 11 months ago
- Type
- Code_Defect
- Priority
- —
- Severity
- Important
- Resolution
- Rejected
- Subsystem
- —
- Created
- April 22, 2011 4:54 a.m.
View the manifest at http://www.fossil-scm.org/index.html/artifact/7fca007538fea65f
Notice the entity "è" towards the end of the comment.
Now view the checkin at http://www.fossil-scm.org/index.html/info/7fca007538
Notice how the "è" entity was not escaped and actually shows as a real grave accent (`) instead of displaying literally.
What happens if something like "&what-kind-of-entity-is-this;" or "�" should appear in a comment?
Might trigger a browser crash or security hole.
Comments should be displayed verbatim without any interpretation to prevent this potential problem.
drh added on 2011-04-22 11:36:53 UTC: By design, commit comments are wiki text, which means HTML is allowed within commit comments and is displayed as such. This allows hyperlinks and rich formatting to be used within comments - a feature that we have made full use of over the past 3.75 years. It is not something we care to disable.
Thanks for the suggestion, though.