Home

How to Quickly and Correctly Generate a Git Log in HTML

2017-09-10

For the last release, I generated a git log in HTML. This helps users and helped me write Appendix B.

However I ran into a problem: escaping.

Larry Wall: Whipupitude.

I will show you a solution that is both correct and preserves whipupitude.

Problem

I used a single git --format=pretty command to generate.

Description:

Implement <& Alternative to <&

Those characters should be escaped! Although some try very hard to resolve ambiguity, it's better to "emit strictly" (Postel's law)

Resolving ambiguity incorrecty leads to security bugs, for example: GIFAR bug. A GIF that is also a JAR.

Attack:

git commit -a '<script>alert("hi")</script>'

Strawman Yak Shaving

A Naive, Pedantic Solution

I admit that I may have used complex solutions before.

Discredited / fallen out of favor:

Other Tools that Use Field Substitution

This coudl be a separate blog post

Do they support? 0x00 and 0x01?

Adversarial Input

Can someone create a git commit with 0x00 and 0x01?

Will it break github?

Conclusion