Fossil

Check-in [1d276f7b]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:This should demonstrate a behavior of inline STYLE tags. Notice gray background of PRE elements in www/defcsp.md and the lack of it in www/webui.wiki. See forum thread 69f475cf48.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | inline-style-inconsistency
Files: files | file ages | folders
SHA3-256: 1d276f7b234440d525bd55da35e4aa024d7dbb2473d765482f67d2de7ad6246c
User & Date: george 2021-06-19 20:58:33
Original Comment: This should demonstraite a behavior of inline STYLE tags. Notice gray background of
 elements in www/defcsp.md and the lack of it in www/webui.wiki. See forum thread 69f475cf48.
Context
2021-06-19
20:58
This should demonstrate a behavior of inline STYLE tags. Notice gray background of PRE elements in www/defcsp.md and the lack of it in www/webui.wiki. See forum thread 69f475cf48. ... (Leaf check-in: 1d276f7b user: george tags: inline-style-inconsistency)
02:29
Fix a possible "use-after-free" while rendering a /file page for the case when "ci" parameter is missing. This is a preliminary fix, it may introduce a (tiny) memory leak. ... (check-in: a6477bca user: george tags: trunk)
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to www/defcsp.md.

16
17
18
19
20
21
22







23
24
25
26
27
28
29
For example, Fossil purposely breaks `<script>` tags when it finds
them in Markdown and Fossil Wiki documents.  And the Fossil build
process scans the source code for potential injection vulnerabilities
and refuses to compile if any problems are found.
However, CSP provides an additional layer of defense against undetected
bugs that might lead to a vulnerability.








## The Default Restrictions

The default CSP used by Fossil is as follows:

<pre>
     default-src 'self' data:;
     script-src 'self' 'nonce-$nonce';







>
>
>
>
>
>
>







16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
For example, Fossil purposely breaks `<script>` tags when it finds
them in Markdown and Fossil Wiki documents.  And the Fossil build
process scans the source code for potential injection vulnerabilities
and refuses to compile if any problems are found.
However, CSP provides an additional layer of defense against undetected
bugs that might lead to a vulnerability.

<style>
  div.content pre {
    background: #cccccc;
    padding: 0.25em;
  }
</style>

## The Default Restrictions

The default CSP used by Fossil is as follows:

<pre>
     default-src 'self' data:;
     script-src 'self' 'nonce-$nonce';

Changes to www/webui.wiki.

29
30
31
32
33
34
35








36
37
38
39
40
41
42
self-contained, stand-alone Fossil executable.

As an example of how useful this web interface can be,
the entire [./index.wiki | Fossil website],
including the document you are now reading,
is rendered using the Fossil web interface, with no enhancements,
and little customization.









<blockquote>
<b>Key point:</b> <i>The Fossil website is just a running instance
of Fossil!
</blockquote>

Note also that because Fossil is a distributed system, you can run







>
>
>
>
>
>
>
>







29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
self-contained, stand-alone Fossil executable.

As an example of how useful this web interface can be,
the entire [./index.wiki | Fossil website],
including the document you are now reading,
is rendered using the Fossil web interface, with no enhancements,
and little customization.

<style>
  div.content pre {
    background: #cccccc;
    padding: 0.25em;
  }
</style>


<blockquote>
<b>Key point:</b> <i>The Fossil website is just a running instance
of Fossil!
</blockquote>

Note also that because Fossil is a distributed system, you can run