if (exists $pagesources{$page}) {
$file=$pagesources{$page};
$type=pagetype($file);
+ if (! defined $type) {
+ error("$page is not an editable page");
+ }
}
else {
$type=$form->param('type');
return $params{content};
} # }}}
+sub scrub ($) { #{{{
+ if (IkiWiki::Plugin::htmlscrubber->can("sanitize")) {
+ return IkiWiki::Plugin::htmlscrubber::sanitize(content => shift);
+ }
+ else {
+ return shift;
+ }
+} #}}}
+
sub preprocess (@) { #{{{
if (! @_) {
return "";
if ($key eq 'link') {
if (%params) {
- $meta{$page}.="<link href=\"".encode_entities($value)."\" ".
+ $meta{$page}.=scrub("<link href=\"".encode_entities($value)."\" ".
join(" ", map { encode_entities($_)."=\"".encode_entities(decode_entities($params{$_}))."\"" } keys %params).
- " />\n";
+ " />\n");
}
else {
# hidden WikiLink
}
}
elsif ($key eq 'title') {
- $title{$page}=$value;
+ $title{$page}=encode_entities($value);
}
elsif ($key eq 'permalink') {
$permalink{$page}=$value;
- $meta{$page}.="<link rel=\"bookmark\" href=\"".encode_entities($value)."\" />\n";
+ $meta{$page}.=scrub("<link rel=\"bookmark\" href=\"".encode_entities($value)."\" />\n");
+ }
+ elsif ($key eq 'stylesheet') {
+ my $rel=exists $params{rel} ? $params{rel} : "alternate stylesheet";
+ my $title=exists $params{title} ? $params{title} : $value;
+ # adding .css to the value prevents using any old web
+ # editable page as a stylesheet
+ my $stylesheet=bestlink($page, $value.".css");
+ if (! length $stylesheet) {
+ return "[[meta ".gettext("stylesheet not found")."]]";
+ }
+ $meta{$page}.='<link href="'.$stylesheet.
+ '" rel="'.encode_entities($rel).
+ '" title="'.encode_entities($title).
+ "\" style=\"text/css\" />\n";
+ }
+ elsif ($key eq 'openid') {
+ if (exists $params{server}) {
+ $meta{$page}.='<link href="'.encode_entities($params{server}).
+ "\" rel=\"openid.server\" />\n";
+ }
+ $meta{$page}.='<link href="'.encode_entities($value).
+ "\" rel=\"openid.delegate\" />\n";
}
else {
- $meta{$page}.="<meta name=\"".encode_entities($key).
- "\" content=\"".encode_entities($value)."\" />\n";
+ $meta{$page}.=scrub("<meta name=\"".encode_entities($key).
+ "\" content=\"".encode_entities($value)."\" />\n");
if ($key eq 'author') {
$author{$page}=$value;
}
+ikiwiki (1.32.3) unstable; urgency=low
+
+ Due to a security fix, wikis that have the htmlscrubber enabled can no
+ longer use the meta plugin to insert html link and meta tags.
+
+ Some special case methods have been added for safely including stylesheets,
+ and for doing openid delegation. See the meta plugin docs for details.
+
+ -- Joey Hess <joeyh@debian.org> Wed, 21 Mar 2007 14:56:30 -0400
+
ikiwiki (1.32) unstable; urgency=low
There is a change to the plugin interface in this version. Any plugins that
+ikiwiki (1.33.3) testing-proposed-updates; urgency=medium
+
+ * Fix a security hole that allowed insertion of unsafe content via the meta
+ plugins's support for inserting html link and meta tags. Now such content
+ is passed through the htmlscrubber like everything else.
+ * Unfortunatly, that means that some valid uses of those tags are no longer
+ usable, and special case methods needed to be added for including
+ stylesheets, and for doing openid delegation. If you use either of these
+ in your wiki, it will need to be modified. See the meta plugin docs
+ for details.
+
+ -- Joey Hess <joeyh@debian.org> Wed, 21 Mar 2007 14:56:48 -0400
+
+ikiwiki (1.33.2) testing-proposed-updates; urgency=medium
+
+ * Backport fix for a security hole that allowed a web user to insert
+ arbitrary html in the title of a page due to missing escaping of
+ titles in the meta plugin.
+ * Fix examples directory location.
+
+ -- Joey Hess <joeyh@debian.org> Wed, 21 Mar 2007 01:55:02 -0400
+
+ikiwiki (1.33.1) testing-proposed-updates; urgency=medium
+
+ * Backport fix for a security hole that allowed a web user to edit images
+ and other non-page format files in the wiki. To exploit this, the file
+ already had to exist in the wiki, and the web user would need to somehow
+ use the web based editor to replace it with malicious content.
+
+ -- Joey Hess <joeyh@debian.org> Sat, 10 Feb 2007 15:30:12 -0500
+
ikiwiki (1.33) unstable; urgency=low
* Fix issue with aggregate plugin updating expired pages.
DESTDIR=$(shell pwd)/debian/ikiwiki
dh_install wikilist etc/ikiwiki
dh_installdocs html
- dh_installexamples doc/examples
+ dh_installexamples doc/examples/*
dh_link usr/share/common-licenses/GPL usr/share/doc/ikiwiki/html/GPL
dh_installchangelogs
dh_compress -X html
* **[[css_market/zack.css]]**, contributed by [[StefanoZacchiroli]],
customized mostly for *blogging purposes*, can be seen in action on
[zack's blog](http://www.bononia.it/~zack/blog/)
- [[meta link="css_market/zack.css" rel="alternate stylesheet" title="zack" type="text/css"]]
+ [[meta stylesheet="zack"]]
* **[[css_market/kirkambar.css]]**, contributed by [[Roktas]]. This far from perfect
stylesheet follows a [Gitweb](http://www.kernel.org/git/?p=git/git.git;a=tree;f=gitweb)
like theme, so it may provide a consistent look'n feel along with the [[git]] backend. ;-)
You can see it in action on [kirkambar](http://kirkambar.net/) (Turkish content).
- [[meta link="css_market/kirkambar.css" rel="alternate stylesheet" title="kirkambar" type="text/css"]]
+ [[meta stylesheet="kirkambar"]]
If your web browser allows selecting between multiple stylesheets, this
page can be viewed using any of the stylesheets above. For example, if
The first form sets a given field to a given value, while the second form
also specifies some additional sub-parameters.
+The field values are treated as HTML entity-escaped text, so you can include
+a quote in the text by writing `"` and so on.
+
You can use any field names you like, but here are some predefined ones:
* link
- Specifies a link to another page. This is used to generate a html
- <link> tag, and also as a way to make the wiki treat one page as
- linking to another without displaying a user-visible link. The latter
- can be useful when using links to categorise pages. A html link tag
- would look like this:
+ Specifies a link to another page. This can be used as a way to make the
+ wiki treat one page as linking to another without displaying a user-visible
+ [[WikiLink]]:
+
+ \[[meta link=otherpage]]
- \[[meta link="foo.css" rel="stylesheet" type="text/css"]]
+ It can also be used to insert a html <link> tag. For example:
- A non-user-visible [[WikiLink]] would instead look like this:
+ \[[meta link="http://joeyh.myopenid.com/" rel="openid.delegate"]]
- \[[meta link=otherpage]]
+ However, this latter syntax won't be allowed if the [[htmlscrubber]] is
+ enabled, since it can be used to insert unsafe content.
* title
Specifies a permanent link to the page, if different than the page
generated by ikiwiki.
-If the field is not treated specially (as the link and title fields are),
-the metadata will be written to the generated html page as a <meta>
-header.
+* stylesheet
-The field value is treated as HTML entity-escaped text, so you can include
-a quote in the text by writing `"` and so on.
+ Adds a stylesheet to a page. The stylesheet is treated as a wiki link to
+ a `.css` file in the wiki, so it cannot be used to add links to external
+ stylesheets. Example:
+
+ \[[meta stylesheet=somestyle rel="alternate stylesheet"
+ title="somestyle"]]
+
+* openid
+
+ Adds html <link> tags to perform OpenID delegation to an external
+ OpenID server. This lets you use an ikiwiki page as your OpenID. Example:
+
+ \\[[meta openid="http://joeyh.myopenid.com/"
+ server="http://www.myopenid.com/server"]]
+
+If the field is not one of the above predefined fields, the metadata will be
+written to the generated html page as a <meta> header. However, this
+won't be allowed if the [[htmlscrubber]] is enabled, since it can be used to
+insert unsafe content.
If this plugin is enabled, the title of this page will say that it is.
[[meta title="meta plugin (enabled)"]]
projects / ikiwiki.git / commitdiff