From: Joey Hess <joey@kodama.kitenet.net>
Date: Sun, 10 Feb 2008 18:55:34 +0000 (-0500)
Subject: fix backport
X-Git-Tag: 1.33.4~2
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=f38ad993b4b5f293ec691e0d3182e761791ee273;p=ikiwiki.git

fix backport
---

diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index c4a0d60af..60ad17baf 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -53,7 +53,7 @@ sub scrubber { #{{{
 			span strike strong sub sup table tbody td textarea
 			tfoot th thead tr tt u ul var
 		}],
-		default => [undef, { map { $_ => 1 } qw{
+		default => [undef, { ( map { $_ => 1 } qw{
 			abbr accept accept-charset accesskey
 			align alt axis border cellpadding cellspacing
 			char charoff charset checked cite class
@@ -66,7 +66,8 @@ sub scrubber { #{{{
 			selected shape size span start summary
 			tabindex target title type usemap valign
 			value vspace width
-		}, "/" => 1, # emit proper <hr /> XHTML
+		} ),
+		"/" => 1, # emit proper <hr /> XHTML
 		href => $link,
 		src => $link,
 		action => $link,
diff --git a/debian/changelog b/debian/changelog
index 4776e1461..7dd7a2a29 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,6 @@
-ikiwiki (1.33.4) testing-proposed-updates; urgency=medium
+ikiwiki (1.33.4) stable-security; urgency=high
 
-  * htmlscrubber security fix: Block javascript in uris.
+  * htmlscrubber security fix: Block javascript in uris. Closes: #465110
   * Add htmlscrubber test suite.
 
  -- Joey Hess <joeyh@debian.org>  Sun, 10 Feb 2008 13:34:28 -0500
diff --git a/t/htmlize.t b/t/htmlize.t
index edf357010..0be94ab6b 100755
--- a/t/htmlize.t
+++ b/t/htmlize.t
@@ -58,13 +58,17 @@ ok(gotcha(q{<img src="javascript.png?GOTCHA">}), "not javascript");
 ok(gotcha(q{<a href="javascript.png?GOTCHA">foo</a>}), "not javascript");
 is(IkiWiki::htmlize("foo", "mdwn",
 	q{<img alt="foo" src="foo.gif">}),
-	q{<img alt="foo" src="foo.gif">}, "img with alt tag allowed");
+	q{<p><img alt="foo" src="foo.gif"></p>
+}, "img with alt tag allowed");
 is(IkiWiki::htmlize("foo", "mdwn",
 	q{<a href="http://google.com/">}),
-	q{<a href="http://google.com/">}, "absolute url allowed");
+	q{<p><a href="http://google.com/"></p>
+}, "absolute url allowed");
 is(IkiWiki::htmlize("foo", "mdwn",
 	q{<a href="foo.html">}),
-	q{<a href="foo.html">}, "relative url allowed");
+	q{<p><a href="foo.html"></p>
+}, "relative url allowed");
 is(IkiWiki::htmlize("foo", "mdwn",
 	q{<span class="foo">bar</span>}),
-	q{<span class="foo">bar</span>}, "class attribute allowed");
+	q{<p><span class="foo">bar</span></p>
+}, "class attribute allowed");