From 8e23b4ca861d62398190940f5bffa76343da5a50 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 10 Feb 2008 18:35:45 -0500 Subject: [PATCH] * meta: Check that the urls provided for authorurl, permalink, and openid are safe and can't contain javascript. --- IkiWiki/Plugin/meta.pm | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm index 5223d8ff6..5543733d7 100644 --- a/IkiWiki/Plugin/meta.pm +++ b/IkiWiki/Plugin/meta.pm @@ -35,6 +35,17 @@ sub scrub ($) { #{{{ } } #}}} +sub safeurl ($) { #{{{ + my $url=shift; + if (exists $IkiWiki::Plugin::htmlscrubber::{safe_url_regexp} && + defined $IkiWiki::Plugin::htmlscrubber::safe_url_regexp) { + return $url=~/$IkiWiki::Plugin::htmlscrubber::safe_url_regexp/; + } + else { + return 1; + } +} #}}} + sub preprocess (@) { #{{{ if (! @_) { return ""; @@ -67,8 +78,10 @@ sub preprocess (@) { #{{{ $title{$page}=encode_entities($value); } elsif ($key eq 'permalink') { - $permalink{$page}=$value; - $meta{$page}.=scrub("\n"); + if (safeurl($value)) { + $permalink{$page}=$value; + $meta{$page}.=scrub("\n"); + } } elsif ($key eq 'stylesheet') { my $rel=exists $params{rel} ? $params{rel} : "alternate stylesheet"; @@ -85,12 +98,14 @@ sub preprocess (@) { #{{{ "\" style=\"text/css\" />\n"; } elsif ($key eq 'openid') { - if (exists $params{server}) { + if (exists $params{server} && safeurl($params{server})) { $meta{$page}.='\n"; } - $meta{$page}.='\n"; + if (safeurl($value)) { + $meta{$page}.='\n"; + } } else { $meta{$page}.=scrub("