On Fri, Jan 30, 2015 at 4:04 PM, Brion Vibber bvibber@wikimedia.org wrote:
On Fri, Jan 30, 2015 at 12:11 PM, Jackmcbarn jackmcbarn@gmail.com wrote:
On Fri, Jan 30, 2015 at 2:02 PM, Brion Vibber bvibber@wikimedia.org wrote:
I'd be inclined to unstrip the marker *and squash HTML to plaintext*,
then
encode the plaintext...
I don't see how that addresses the security issue.
Rollback tokens in the Special:Contributions HTML would then not be available in the squashed text that got encoded. Thus it could not be extracted and used in the timing attack.
While it would avoid *this* bug, it would still allow the attack if there is ever sensitive data on some transcludable special page that isn't embedded in HTML tag attributes.