Talk:Billion laughs

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Computer Security / Computing  (Rated Start-class, Low-importance)
WikiProject icon This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 Low  This article has been rated as Low-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing.

Quickly created[edit]

This was quickly created without much effort since there wasn't even any page about it before. It should most likely be merged with the DoS-attack page when it has reached proper wikipedia standards.

I am aware that the article is not totally up to standard, but that's because I am not an expert in this area. I came here looking for an article because my Ubuntu OS wanted to install an update protecting against this kind of attack, and I did not know what it was. --Eyetoy2 (talk) 12:16, 12 June 2009 (UTC)

If this is still under construction shouldn't it have a tag on it or be in a user page as it doesn't merit a full article.Jamesrules90 (talk) 15:22, 13 January 2010 (UTC)
I disagree. I believe this article is very useful and its content is well redacted and relates well to this particular type of attack. Additionally, a reference from the DoS attack page was most welcome, as Billion laughs are a sub kind of attack. Great article. Live2create (talk) 06:44, 8 December 2010 (UTC)

Example code[edit]

Is the example code really needed? —Preceding unsigned comment added by (talk) 04:30, 21 December 2010 (UTC)

Yes, the code brings much clarity to the subject for people who are able to comprehend it. --Lajm (talk) 14:21, 21 October 2012 (UTC)
Agreed, I found it very helpful. I don't work with XML much but when I read the code I immediately thought, "Oh, like a zip bomb". -- (talk) 19:07, 20 February 2013 (UTC)
Agreed, it's clear, concise. Petermr (talk) 08:05, 3 May 2014 (UTC)

Copyright problem removed[edit]

Prior content in this article duplicated one or more previously published sources. The material was copied from: Infringing material has been rewritten or removed and must not be restored, unless it is duly released under a compatible license. (For more information, please see "using copyrighted works from others" if you are not the copyright holder of this material, or "donating copyrighted materials" if you are.) For legal reasons, we cannot accept copyrighted text or images borrowed from other web sites or published material; such additions will be deleted. Contributors may use copyrighted publications as a source of information, but not as a source of sentences or phrases. Accordingly, the material may be rewritten, but only if it does not infringe on the copyright of the original or plagiarize from that source. Please see our guideline on non-free text for how to properly implement limited quotations of copyrighted text. Wikipedia takes copyright violations very seriously, and persistent violators will be blocked from editing. While we appreciate contributions, we must require all contributors to understand and comply with these policies. Thank you. VernoWhitney (talk) 15:29, 22 April 2011 (UTC)


From memory I believe this exploit was first described on the [XML-DEV mailing list[1]] (I was list moderator) in 1997, thought it didn't use lol. IIRC it was described as a slightly esoteric potential problem rather than an exploit. If I have time I'll try to search the archives. I certainly think it merits a separate page. Petermr (talk) 08:03, 3 May 2014 (UTC)

Modern browser immunity[edit]

Firefox 29 seems to be immune. It expands lol1 to lol4 properly, but lol5 and higher do not produce more output (the result is the same as one iteration of lol4).

Occasionally the display fails with "XML Parsing Error: recursive entity reference". This can be relatively reliably reproduced by quickly refreshing the page a few times in a row.

XML Parsing Error: recursive entity reference

Location: file:///C:/Users/admin/Desktop/bil.xml

Line Number 15, Column 13:<lolz>&lol4;</lolz>


Internet Explorer 9 - same result, but on exceeding lol4 produces a totally blank page (no error).

Google Chrome (34.0.1847.131 m) - does not tolerate anything above lol2. Starting from lol3, it complains that the page has an "error on line 15 at column 13: Detected an entity reference loop"

These are the only ones I have installed and could test with. --HTMLCoder.exe / talk / stalk 18:44, 13 May 2014 (UTC)

This is good information, however, the bug does not just apply to browsers. A server may also load an XML file to do work such as parsing a file with an XSLT stylesheet... So we'd need to know which libraries are still affected and which have a feature that prevents the problem. Alexis Wilke (talk) 21:55, 15 October 2016 (UTC)