Ayende @ Rahienhttp://ayende.comAyende @ RahienCopyright (C) Ayende Rahien 2004 - 2021 (c) 202660Um commented on Challenge: Why isn&rsquo;t select broken?Ayende, I don't know, probably nothing. However, there are other risks with XSS. The worst involve exploiting browser vulnerabilities to install trojans or hijackers ( [http://www.owasp.org/index.php/XSS](http://www.owasp.org/index.php/XSS)). http://ayende.com/4164/challenge-why-isn-t-select-broken#comment16http://ayende.com/4164/challenge-why-isn-t-select-broken#comment16Wed, 02 Sep 2009 10:55:47 GMTAyende Rahien commented on Challenge: Why isn&rsquo;t select broken?Um, As I said, I contacted the SubText team and they are working on that. What information do you think XSS can steal from visitors to this blog? http://ayende.com/4164/challenge-why-isn-t-select-broken#comment15http://ayende.com/4164/challenge-why-isn-t-select-broken#comment15Wed, 02 Sep 2009 10:35:38 GMTUm commented on Challenge: Why isn&rsquo;t select broken?But a simple XSS attack _is_ possible, which puts your visitors at risk. I can't imagine that the default configuration of Subtext doesn't encode comments?! http://ayende.com/4164/challenge-why-isn-t-select-broken#comment14http://ayende.com/4164/challenge-why-isn-t-select-broken#comment14Wed, 02 Sep 2009 10:31:09 GMTAyende Rahien commented on Challenge: Why isn&rsquo;t select broken?Um, Rob, test Removed your comments I am aware of the issue, and it will be fixed shortly. There is no data disclosure possible here, so I don't rate it critical http://ayende.com/4164/challenge-why-isn-t-select-broken#comment13http://ayende.com/4164/challenge-why-isn-t-select-broken#comment13Wed, 02 Sep 2009 10:24:12 GMTBertrand Le Roy commented on Challenge: Why isn&rsquo;t select broken?@dave-ilsw: how is stripping safer than Html-encoding the whole comment?? It certainly is a lot more inconvenient. http://ayende.com/4164/challenge-why-isn-t-select-broken#comment12http://ayende.com/4164/challenge-why-isn-t-select-broken#comment12Tue, 01 Sep 2009 20:04:17 GMTDaniel commented on Challenge: Why isn&rsquo;t select broken?Threading issue came to mind first, and looks like the case here. I could also see this happening if you had some custom Collection <t implementation that didn't return the correct Count. Looking at S.L.Buffer, it looks like it reuses ICollection.Count if you're passing a collection, otherwise, it loops over the IEnumerable and counts manually. >http://ayende.com/4164/challenge-why-isn-t-select-broken#comment11http://ayende.com/4164/challenge-why-isn-t-select-broken#comment11Tue, 01 Sep 2009 17:03:24 GMTdave-ilsw commented on Challenge: Why isn&rsquo;t select broken?@Um, I'm not at all surprised that the blog engine takes the approach of stripping everything that is enclosed by < and > rather than trying to figure out what is safe and encoding the rest. In the long run, stripping is safer. http://ayende.com/4164/challenge-why-isn-t-select-broken#comment10http://ayende.com/4164/challenge-why-isn-t-select-broken#comment10Tue, 01 Sep 2009 16:42:21 GMTUm commented on Challenge: Why isn&rsquo;t select broken?@Paul, I'm quite surprised <int> is not being HTML encoded by the blog engine. What about tags such as and <script>? http://ayende.com/4164/challenge-why-isn-t-select-broken#comment9http://ayende.com/4164/challenge-why-isn-t-select-broken#comment9Tue, 01 Sep 2009 16:02:45 GMTAyende Rahien commented on Challenge: Why isn&rsquo;t select broken?Rob, Well, _that_ was fast. http://ayende.com/4164/challenge-why-isn-t-select-broken#comment8http://ayende.com/4164/challenge-why-isn-t-select-broken#comment8Tue, 01 Sep 2009 15:27:26 GMTPaul Batum commented on Challenge: Why isn&rsquo;t select broken?Argh, I always forget to html encode my generics when posting blog comments.... :( http://ayende.com/4164/challenge-why-isn-t-select-broken#comment7http://ayende.com/4164/challenge-why-isn-t-select-broken#comment7Tue, 01 Sep 2009 14:44:03 GMTPaul Batum commented on Challenge: Why isn&rsquo;t select broken?Indeed, as the others above have suggested, I would guess its a threading issue. This one was pretty easy to reproduce: var ints = new List <int(); var thread = new Thread(delegate() { while (true) ints.Add(0); }); thread.Start(); while(true) Console.WriteLine(ints.ToArray().Length); >http://ayende.com/4164/challenge-why-isn-t-select-broken#comment6http://ayende.com/4164/challenge-why-isn-t-select-broken#comment6Tue, 01 Sep 2009 14:41:46 GMTKelly Stuard commented on Challenge: Why isn&rsquo;t select broken?+1 on Rob Jan's reason http://ayende.com/4164/challenge-why-isn-t-select-broken#comment5http://ayende.com/4164/challenge-why-isn-t-select-broken#comment5Tue, 01 Sep 2009 14:39:46 GMTJames Curran commented on Challenge: Why isn&rsquo;t select broken?It's taking the code path where the IEnumerable is really a ICollection, and using it's Count property to size the buffer. This property was possibly lying. http://ayende.com/4164/challenge-why-isn-t-select-broken#comment4http://ayende.com/4164/challenge-why-isn-t-select-broken#comment4Tue, 01 Sep 2009 14:32:48 GMTRob commented on Challenge: Why isn&rsquo;t select broken?Threading issue as the IEnumerable was having elements added to it whilst the ToArray was called? http://ayende.com/4164/challenge-why-isn-t-select-broken#comment3http://ayende.com/4164/challenge-why-isn-t-select-broken#comment3Tue, 01 Sep 2009 14:13:18 GMTJan Willem B commented on Challenge: Why isn&rsquo;t select broken?The source is changing during evaluation. http://ayende.com/4164/challenge-why-isn-t-select-broken#comment2http://ayende.com/4164/challenge-why-isn-t-select-broken#comment2Tue, 01 Sep 2009 14:13:15 GMTAkash Chopra commented on Challenge: Why isn&rsquo;t select broken?Infinite IEnumerable? http://ayende.com/4164/challenge-why-isn-t-select-broken#comment1http://ayende.com/4164/challenge-why-isn-t-select-broken#comment1Tue, 01 Sep 2009 14:10:04 GMT