On Fri, Jan 30, 2015 at 4:04 PM, Brion Vibber <bvibber(a)wikimedia.org> wrote:
On Fri, Jan 30, 2015 at 12:11 PM, Jackmcbarn
<jackmcbarn(a)gmail.com> wrote:
On Fri, Jan 30, 2015 at 2:02 PM, Brion Vibber
<bvibber(a)wikimedia.org>
wrote:
I'd be inclined to unstrip the marker *and
squash HTML to plaintext*,
then
encode the plaintext...
I don't see how that addresses the security issue.
Rollback tokens in the Special:Contributions HTML would then not be
available in the squashed text that got encoded. Thus it could not be
extracted and used in the timing attack.
While it would avoid *this* bug, it would still allow the attack if there
is ever sensitive data on some transcludable special page that isn't
embedded in HTML tag attributes.
--
Brad Jorsch (Anomie)
Software Engineer
Wikimedia Foundation