[ic] [loop-code] interpolation = security risk?

Grant emailgrant at gmail.com
Thu Oct 23 00:25:05 UTC 2014

> Even what you pointed out is typically not going to be a security problem
> because Interchange escapes [ characters coming from the wild and your
> database. I don't think it's ideal, but I also don't think it's worth
> fighting with ITL in the absence of a clearly exploitable vulnerability.

I see that cgi.coretag escapes "[".  Do you remember where else this is done?

It's also worth mentioning that I can't figure out what line 2 here
accomplishes (from cgi.coretag):

# Eliminate any Interchange tags
$value =~ s~<([A-Za-z]*[^>]*\s+[Mm][Vv]\s*=\s*)~<$1~g;
$value =~ s/\[/[/g;

>> Is IC6 ready for prime time?
> Not yet, but it's getting closer!
> You're an experienced Interchange developer, so I think this is a good time
> for someone like you to get involved with IC6. It'll be ready for prime time
> a lot quicker if we have more people involved porting sites to it, or
> starting new ones.

Any kind of a wrapper for IC5 available or planned?  Is porting
basically a rewrite?

- Grant

More information about the interchange-users mailing list