Home

How to Quickly and Correctly Generate a Git Log in HTML

For the last release, I generated a git log in HTML. This helps users and helped me write Appendix B.

However I ran into a problem: escaping.

Larry Wall: Whipupitude.

I will show you a solution that is both correct and preserves whipupitude.

Problem

I used a single git --format=pretty command to generate.

Description:

Implement <& Alternative to <&

Those characters should be escaped! Although some try very hard to resolve ambiguity, it's better to "emit strictly" (Postel's law)

Resolving ambiguity incorrecty leads to security bugs, for example: GIFAR bug. A GIF that is also a JAR.

Attack:

git commit -a '<script>alert("hi")</script>'

Strawman Yak Shaving

A Naive, Pedantic Solution

I admit that I may have used complex solutions before.

Discredited / fallen out of favor:

• using an "API" for structured data
• structured HTML templates. Rewriting HTML in s-expressions syntax, etc. JSX is the best of both worlds?

Other Tools that Use Field Substitution

This coudl be a separate blog post

• find -- arbitrary data in filenames, touch '<'
• stat -- ditto

• curl --write-out

  • filenames
  • URLs overlap with HTML, the & character

• date -- may not have arbitrary characters.

Do they support? 0x00 and 0x01?

Adversarial Input

Can someone create a git commit with 0x00 and 0x01?

Will it break github?

Conclusion

• Unix way: hope that you don't have any special characters.

  • String confusion:
  • ${####}
  • ${//}
  • [ -a -a -a -a ]

• Pedantic way:

  • Use some kind of "API"

• Oil way: Pedantic but preserving whipupitude