[ic] [loop-code] interpolation = security risk?
emailgrant at gmail.com
Thu Oct 23 00:25:05 UTC 2014
> Even what you pointed out is typically not going to be a security problem
> because Interchange escapes [ characters coming from the wild and your
> database. I don't think it's ideal, but I also don't think it's worth
> fighting with ITL in the absence of a clearly exploitable vulnerability.
I see that cgi.coretag escapes "[". Do you remember where else this is done?
It's also worth mentioning that I can't figure out what line 2 here
accomplishes (from cgi.coretag):
# Eliminate any Interchange tags
$value =~ s~<([A-Za-z]*[^>]*\s+[Mm][Vv]\s*=\s*)~<$1~g;
$value =~ s/\[/[/g;
>> Is IC6 ready for prime time?
> Not yet, but it's getting closer!
> You're an experienced Interchange developer, so I think this is a good time
> for someone like you to get involved with IC6. It'll be ready for prime time
> a lot quicker if we have more people involved porting sites to it, or
> starting new ones.
Any kind of a wrapper for IC5 available or planned? Is porting
basically a rewrite?
More information about the interchange-users