From 4ca5fed1e9bf8e0c506b683f1b55e8d44cf2a4f7 Mon Sep 17 00:00:00 2001
From: Rohan Kumar <seirdy@seirdy.one>
Date: Sat, 26 Feb 2022 01:05:44 -0800
Subject: [PATCH] Better citations

---
 content/posts/floss-security.md         | 21 ++++++++++++---------
 content/posts/website-best-practices.md |  2 +-
 layouts/partials/posts.html             |  2 +-
 layouts/shortcodes/indieweb-person.html |  2 +-
 4 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/content/posts/floss-security.md b/content/posts/floss-security.md
index 678847c..d94353f 100644
--- a/content/posts/floss-security.md
+++ b/content/posts/floss-security.md
@@ -138,13 +138,16 @@ Manual invocation of a program paired with a tracer like `strace` won't always e
 
 Fuzzing doesn't necessarily depend on access to source code, as it is a black-box technique. Fuzzers like [American Fuzzy Loop (AFL)](https://lcamtuf.coredump.cx/afl/) normally use [special builds](#special-builds), but [other fuzzing setups](https://aflplus.plus/docs/binaryonly_fuzzing/) can work with just about any binaries. In fact, some types of fuzz tests (e.g. [fuzzing an API](https://github.com/KissPeter/APIFuzzer/) for a web service) hardly need any implementation details.
 
-Fuzzing frequently catches bugs that are only apparent by running a program, not by reading source code. Even so, the biggest beneficiaries of fuzzing are open source projects. [cURL](https://github.com/curl/curl-fuzzer), [OpenSSL](https://github.com/openssl/openssl/tree/master/fuzz), web browsers, text rendering libraries (HarfBuzz, FreeType) and toolchains (GCC, Clang, the official Go toolchain, etc.) are some notable examples. <cite>{{<indieweb-person first-name="Daniel" last-name="Stenberg" url="https://daniel.haxx.se/">}}</cite> wrote about <a href="https://daniel.haxx.se/blog/2020/09/23/a-google-grant-for-libcurl-work/" rel="cite">fuzzing curl</a>:
+Fuzzing frequently catches bugs that are only apparent by running a program, not by reading source code. Even so, the biggest beneficiaries of fuzzing are open source projects. [cURL](https://github.com/curl/curl-fuzzer), [OpenSSL](https://github.com/openssl/openssl/tree/master/fuzz), web browsers, text rendering libraries (HarfBuzz, FreeType) and toolchains (GCC, Clang, the official Go toolchain, etc.) are some notable examples.
 
-<blockquote cite="https://daniel.haxx.se/blog/2020/09/23/a-google-grant-for-libcurl-work/">
-<p>
-I've said it before but let me say it again: fuzzing is really the top method to find problems in curl once we've fixed all flaws that the static analyzers we use have pointed out. The primary fuzzing for curl is done by OSS-Fuzz, that tirelessly keeps hammering on the most recent curl code.
-</p>
-</blockquote>
+<figure itemscope itemtype="https://schema.org/Quotation">
+	<blockquote>
+		<p>I've said it before but let me say it again: fuzzing is really the top method to find problems in curl once we've fixed all flaws that the static analyzers we use have pointed out. The primary fuzzing for curl is done by OSS-Fuzz, that tirelessly keeps hammering on the most recent curl code.</p>
+	</blockquote>
+	<figcaption class="h-cite" itemprop="citation">
+		&mdash; {{<indieweb-person first-name="Daniel" last-name="Stenberg" url="https://daniel.haxx.se/" itemprop="author">}}, <cite itemprop="isPartOf" itemscope itemtype="https://schema.org/BlogPosting"><a class="u-url p-name" itemprop="url" href="https://daniel.haxx.se/blog/2020/09/23/a-google-grant-for-libcurl-work/"><span itemprop="name">A Google grant for libcurl work</span></a></cite>
+	</figcaption>
+</figure>
 
 If you want to get started with fuzzing, I recommend checking out [the quick-start guide for American Fuzzy Loop](https://github.com/google/AFL/blob/master/docs/QuickStartGuide.txt). Some languages like Go 1.18 also have fuzzing tools available right in the standard library.
 
@@ -152,9 +155,9 @@ If you want to get started with fuzzing, I recommend checking out [the quick-sta
 
 A recent example of how fuzzing helps spot a vulnerability in an open-source project is [CVE-2022-0185](https://www.openwall.com/lists/oss-security/2022/01/18/7): a Linux 0-day found by the Crusaders of Rust a few weeks ago. It was discovered using the [syzkaller](https://github.com/google/syzkaller) kernel fuzzer. The process was documented on Will's Root:
 
-<cite class="h-cite">
-<a class="u-url p-name" href="https://www.willsroot.io/2022/01/cve-2022-0185.html" rel="cite">CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers</a> by {{<indieweb-person nickname="willsroot" url="https://willsroot.io">}}
-</cite>
+<span class="h-cite" itemprop="citation" itemscope itemtype="https://schema.org/BlogPosting">
+	<cite><a class="u-url p-name" itemprop="name" href="https://www.willsroot.io/2022/01/cve-2022-0185.html">CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers</a></cite> by <span itemprop="author">{{<indieweb-person nickname="willsroot" url="https://willsroot.io">}}</span>
+</span>
 
 I _highly_ encourage giving it a read; it's the perfect example of fuzzing with sanitizers to find a vulnerability, reproducing the vulnerability (by writing a tiny C program), _then_ diving into the source code to find and fix the cause, and finally reporting the issue (with a patch!). When source isn't available, the vendor would assume responsibility for the "find and fix" steps.
 
diff --git a/content/posts/website-best-practices.md b/content/posts/website-best-practices.md
index 7c15c39..3bd8dd4 100644
--- a/content/posts/website-best-practices.md
+++ b/content/posts/website-best-practices.md
@@ -275,7 +275,7 @@ Underlines also make it easy for readers with color vision deficiencies to disti
 		<p>Color is not used as the only visual means of conveying information, indicating an action, prompting a response, or distinguishing a visual element. (Level A)</p>
 	</blockquote>
 	<figcaption>
-	&mdash; <a rel="cite" href="https://www.w3.org/TR/WCAG20/#visual-audio-contrast-without-color"><cite>WCAG 2.0</cite>, section 1.4.1</a>
+	&mdash; <a href="https://www.w3.org/TR/WCAG20/#visual-audio-contrast-without-color"><cite>WCAG 2.0</cite>, section 1.4.1</a>
 	</figcaption>
 </figure>
 
diff --git a/layouts/partials/posts.html b/layouts/partials/posts.html
index 6080a3b..9b810bb 100644
--- a/layouts/partials/posts.html
+++ b/layouts/partials/posts.html
@@ -4,7 +4,7 @@
 	{{ else -}}
 	<h2 class="p-name" itemprop="name">Posts</h2>
 	{{ end -}}
-	<p><em>Timestamp format: <code>YYYY-MM-DD</code>, as per <a href="https://www.ietf.org/rfc/rfc3339.txt">RFC 3339</a> and <a href="https://xkcd.com/1179/">ISO 8601</a></em></p>
+	<p><em>Timestamp format: <code>YYYY-MM-DD</code>, as per <cite><a href="https://www.ietf.org/rfc/rfc3339.txt">RFC 3339</a></cite> and <cite><a href="https://xkcd.com/1179/">ISO 8601</a></cite></em></p>
 	<ul class="unstyled-list">
 		{{- range where site.RegularPages "Type" "in" site.Params.mainSections }}
 		<li class="h-entry hentry" itemscope itemtype="https://schema.org/BlogPosting">
diff --git a/layouts/shortcodes/indieweb-person.html b/layouts/shortcodes/indieweb-person.html
index c62be1c..78cf77a 100644
--- a/layouts/shortcodes/indieweb-person.html
+++ b/layouts/shortcodes/indieweb-person.html
@@ -1,4 +1,4 @@
-<span itemscope itemtype="https://schema.org/Person" class="h-card vcard">
+<span {{ if (.Get "itemprop") -}}itemprop="{{- .Get "itemprop" -}}"{{- end }} itemscope itemtype="https://schema.org/Person" class="h-card vcard">
 	<a itemprop="url" href="{{- .Get "url" -}}" class="u-url url">
 		{{- if (.Get "avatar") -}}
 		{{- $avatar_img := (resources.GetRemote (.Get "avatar")).Resize "32x32" -}}