Searched hist:"49 d7ec0a0f9385eb9dab3ae4b2747fe04548a000" (Results 1 – 4 of 4) sorted by relevance
| /plugin/annotations/ |
| H A D | style.css | 49d7ec0a0f9385eb9dab3ae4b2747fe04548a000 Wed Jun 03 17:37:45 UTC 2026 tracker-user <82045103+tracker-user@users.noreply.github.com> Fix stored XSS in JSINFO embed and self-deadlocking write lock
Two serious bugs found during review, plus three minor fixes:
- Stored XSS: the inline-embedded annotation payload was encoded with
JSON_UNESCAPED_SLASHES and appended into the page's inline <script>. A
body containing "</script>" closed the script element and injected
arbitrary HTML, executing in every viewer's browser. Anyone who can
annotate (AUTH_READ + login) could exploit it. Add JSON_HEX_TAG so < and
> are escaped, neutralising every tag-based breakout.
- Write lock: mutate() held io_lock($file) and then called
io_saveFile($file), which takes io_lock($file) again internally. The
inner lock collided with the outer, busy-waiting ~3s for the stale-lock
timeout on every create/edit/delete/resolve/clear and defeating mutual
exclusion. Lock on a sentinel key ($file.lock) instead, leaving
io_saveFile's own lock uncontended (matches DokuWiki TaskRunner idiom).
- style.css: the :root colour fallbacks were self-referential
(var(--x) of themselves), i.e. cyclic and invalid, not a fallback.
Replace with the literal config-default triplets.
- action.php: drop hsc() from a JSON error string (wrong context).
- script.js: refresh the open orphan drawer after a thread mutation so an
edited body shows there too.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
| H A D | action.php | 49d7ec0a0f9385eb9dab3ae4b2747fe04548a000 Wed Jun 03 17:37:45 UTC 2026 tracker-user <82045103+tracker-user@users.noreply.github.com> Fix stored XSS in JSINFO embed and self-deadlocking write lock
Two serious bugs found during review, plus three minor fixes:
- Stored XSS: the inline-embedded annotation payload was encoded with
JSON_UNESCAPED_SLASHES and appended into the page's inline <script>. A
body containing "</script>" closed the script element and injected
arbitrary HTML, executing in every viewer's browser. Anyone who can
annotate (AUTH_READ + login) could exploit it. Add JSON_HEX_TAG so < and
> are escaped, neutralising every tag-based breakout.
- Write lock: mutate() held io_lock($file) and then called
io_saveFile($file), which takes io_lock($file) again internally. The
inner lock collided with the outer, busy-waiting ~3s for the stale-lock
timeout on every create/edit/delete/resolve/clear and defeating mutual
exclusion. Lock on a sentinel key ($file.lock) instead, leaving
io_saveFile's own lock uncontended (matches DokuWiki TaskRunner idiom).
- style.css: the :root colour fallbacks were self-referential
(var(--x) of themselves), i.e. cyclic and invalid, not a fallback.
Replace with the literal config-default triplets.
- action.php: drop hsc() from a JSON error string (wrong context).
- script.js: refresh the open orphan drawer after a thread mutation so an
edited body shows there too.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
| H A D | helper.php | 49d7ec0a0f9385eb9dab3ae4b2747fe04548a000 Wed Jun 03 17:37:45 UTC 2026 tracker-user <82045103+tracker-user@users.noreply.github.com> Fix stored XSS in JSINFO embed and self-deadlocking write lock
Two serious bugs found during review, plus three minor fixes:
- Stored XSS: the inline-embedded annotation payload was encoded with
JSON_UNESCAPED_SLASHES and appended into the page's inline <script>. A
body containing "</script>" closed the script element and injected
arbitrary HTML, executing in every viewer's browser. Anyone who can
annotate (AUTH_READ + login) could exploit it. Add JSON_HEX_TAG so < and
> are escaped, neutralising every tag-based breakout.
- Write lock: mutate() held io_lock($file) and then called
io_saveFile($file), which takes io_lock($file) again internally. The
inner lock collided with the outer, busy-waiting ~3s for the stale-lock
timeout on every create/edit/delete/resolve/clear and defeating mutual
exclusion. Lock on a sentinel key ($file.lock) instead, leaving
io_saveFile's own lock uncontended (matches DokuWiki TaskRunner idiom).
- style.css: the :root colour fallbacks were self-referential
(var(--x) of themselves), i.e. cyclic and invalid, not a fallback.
Replace with the literal config-default triplets.
- action.php: drop hsc() from a JSON error string (wrong context).
- script.js: refresh the open orphan drawer after a thread mutation so an
edited body shows there too.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
| H A D | script.js | 49d7ec0a0f9385eb9dab3ae4b2747fe04548a000 Wed Jun 03 17:37:45 UTC 2026 tracker-user <82045103+tracker-user@users.noreply.github.com> Fix stored XSS in JSINFO embed and self-deadlocking write lock
Two serious bugs found during review, plus three minor fixes:
- Stored XSS: the inline-embedded annotation payload was encoded with
JSON_UNESCAPED_SLASHES and appended into the page's inline <script>. A
body containing "</script>" closed the script element and injected
arbitrary HTML, executing in every viewer's browser. Anyone who can
annotate (AUTH_READ + login) could exploit it. Add JSON_HEX_TAG so < and
> are escaped, neutralising every tag-based breakout.
- Write lock: mutate() held io_lock($file) and then called
io_saveFile($file), which takes io_lock($file) again internally. The
inner lock collided with the outer, busy-waiting ~3s for the stale-lock
timeout on every create/edit/delete/resolve/clear and defeating mutual
exclusion. Lock on a sentinel key ($file.lock) instead, leaving
io_saveFile's own lock uncontended (matches DokuWiki TaskRunner idiom).
- style.css: the :root colour fallbacks were self-referential
(var(--x) of themselves), i.e. cyclic and invalid, not a fallback.
Replace with the literal config-default triplets.
- action.php: drop hsc() from a JSON error string (wrong context).
- script.js: refresh the open orphan drawer after a thread mutation so an
edited body shows there too.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|