From 1f112d570ef235416c4001605e15980b2f628da4 Mon Sep 17 00:00:00 2001 From: "http://smcv.pseudorandom.co.uk/" Date: Tue, 6 Apr 2010 00:55:54 +0000 Subject: if applied, reverting this would be problematic --- doc/bugs/some_but_not_all_meta_fields_are_stored_escaped.mdwn | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'doc') diff --git a/doc/bugs/some_but_not_all_meta_fields_are_stored_escaped.mdwn b/doc/bugs/some_but_not_all_meta_fields_are_stored_escaped.mdwn index 6a934d4eb..8e1ca42e0 100644 --- a/doc/bugs/some_but_not_all_meta_fields_are_stored_escaped.mdwn +++ b/doc/bugs/some_but_not_all_meta_fields_are_stored_escaped.mdwn @@ -31,3 +31,9 @@ Points of extra subtlety: double-escaped on any page that inlines them in `quick=yes` mode, and is rebuilt for some other reason. The failure mode is too much escaping rather than too little, so it shouldn't be a security problem. + +* Reverting this change, if applied, is more dangerous; until the wiki is + rebuilt, any titles, descriptions and GUIDs on unchanged pages that + contained markup could appear unescaped on any page that inlines them + in `quick=yes` mode, and is rebuilt for some other reason. The failure + mode here would be too little escaping, i.e. cross-site scripting. -- cgit v1.2.3