|WikiProject Computer Security / Computing||(Rated Start-class, Low-importance)|
This was quickly created without much effort since there wasn't even any page about it before. It should most likely be merged with the DoS-attack page when it has reached proper wikipedia standards.
I am aware that the article is not totally up to standard, but that's because I am not an expert in this area. I came here looking for an article because my Ubuntu OS wanted to install an update protecting against this kind of attack, and I did not know what it was. --Eyetoy2 (talk) 12:16, 12 June 2009 (UTC)
- If this is still under construction shouldn't it have a tag on it or be in a user page as it doesn't merit a full article.Jamesrules90 (talk) 15:22, 13 January 2010 (UTC)
- I disagree. I believe this article is very useful and its content is well redacted and relates well to this particular type of attack. Additionally, a reference from the DoS attack page was most welcome, as Billion laughs are a sub kind of attack. Great article. Live2create (talk) 06:44, 8 December 2010 (UTC)
- Yes, the code brings much clarity to the subject for people who are able to comprehend it. --Lajm (talk) 14:21, 21 October 2012 (UTC)
Copyright problem removed
Prior content in this article duplicated one or more previously published sources. The material was copied from: http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html. Infringing material has been rewritten or removed and must not be restored, unless it is duly released under a compatible license. (For more information, please see "using copyrighted works from others" if you are not the copyright holder of this material, or "donating copyrighted materials" if you are.) For legal reasons, we cannot accept copyrighted text or images borrowed from other web sites or published material; such additions will be deleted. Contributors may use copyrighted publications as a source of information, but not as a source of sentences or phrases. Accordingly, the material may be rewritten, but only if it does not infringe on the copyright of the original or plagiarize from that source. Please see our guideline on non-free text for how to properly implement limited quotations of copyrighted text. Wikipedia takes copyright violations very seriously, and persistent violators will be blocked from editing. While we appreciate contributions, we must require all contributors to understand and comply with these policies. Thank you. VernoWhitney (talk) 15:29, 22 April 2011 (UTC)
From memory I believe this exploit was first described on the [XML-DEV mailing list] (I was list moderator) in 1997, thought it didn't use lol. IIRC it was described as a slightly esoteric potential problem rather than an exploit. If I have time I'll try to search the archives. I certainly think it merits a separate page. Petermr (talk) 08:03, 3 May 2014 (UTC)
Modern browser immunity
Firefox 29 seems to be immune. It expands lol1 to lol4 properly, but lol5 and higher do not produce more output (the result is the same as one iteration of lol4).
Occasionally the display fails with "XML Parsing Error: recursive entity reference". This can be relatively reliably reproduced by quickly refreshing the page a few times in a row.
XML Parsing Error: recursive entity reference
Line Number 15, Column 13:<lolz>&lol4;</lolz>
Internet Explorer 9 - same result, but on exceeding lol4 produces a totally blank page (no error).
Google Chrome (34.0.1847.131 m) - does not tolerate anything above lol2. Starting from lol3, it complains that the page has an "error on line 15 at column 13: Detected an entity reference loop"
- This is good information, however, the bug does not just apply to browsers. A server may also load an XML file to do work such as parsing a file with an XSLT stylesheet... So we'd need to know which libraries are still affected and which have a feature that prevents the problem. Alexis Wilke (talk) 21:55, 15 October 2016 (UTC)