lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Indeed, I made a patch for an XSS issue recently and broke page edits.  The site is now informally locked until I've worked it out.

Regards,
--John


On Mon, Jun 1, 2020 at 8:35 PM Philippe Verdy <verdyp@gmail.com> wrote:
Note: this bug affects ANY page that currently contains some '<' including many Lua sample code between {{{triple braces}}}.
The page is parsed when saving, anything that looks like a possible HTML tag will cause an exception where the whole text is lost. Then ALL HTML-escapes like "&lt;" or numeric character entities are converted to plain-text literal characters (not generating any HTML). The wiki then stores and displays the result of this parsing.
Something changed recently on the code implementing the wiki, which caused incompatible behavior.
A very large number of wiki pages are affected by this new bug. Be careful. The wiki implementation has a serious bug, at least it should not allow saving the page if there are '<' but should inform the user that he must fix the content, or the wiki should first HTML-encode any "&" found anywhere into "&amp;", and then any "<" found anywhere into "&lt;"
Visibly the HTML-escaping of the input text was removed or forgotten in the new implementation!


Le lun. 1 juin 2020 à 07:35, Philippe Verdy <verdyp@gmail.com> a écrit :
I identified the bug. Any wiki page where there's a single '<' character inside will be blanked entirely when saving.

The source page can be restored by first converting each of them to '&lt;' 

Le lun. 1 juin 2020 à 07:19, Robert Burke <sharpobject@gmail.com> a écrit :
On Mon, Jun 1, 2020 at 8:25 AM Philippe Verdy <verdyp@gmail.com> wrote:
>
> Editing any page on the lua.org wiki has a severa bug:
> you can edit a page, add a single character, post legitimate comment, but when saving all the text is cleared.
> Looking at the diff, you cannot even restore its content (reload the old version, don't change anythin, try saving, the saved page is blank again (nothing is restored)!
>

It looks like it works to me: http://lua-users.org/wiki/TestPage