From ebe140201ed53ee4f8cf5998c69e20d5fef2ad16 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Tue, 18 Nov 2008 10:29:16 +0000 Subject: [PATCH] comments: sanitize the body of each comment before posting it This should ensure that users can't "break out" from the enclosing
, making it impossible to forge comments (assuming htmlscrubber is enabled, and so is either htmlbalance or htmltidy). --- IkiWiki/Plugin/comments.pm | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm index 9359e9487..c545a1335 100644 --- a/IkiWiki/Plugin/comments.pm +++ b/IkiWiki/Plugin/comments.pm @@ -250,6 +250,17 @@ sub sessioncgi ($$) { #{{{ $body =~ s/>/>/g; } + IkiWiki::run_hooks(sanitize => sub { + # $fake is a possible location for this comment. We don't + # know yet what the comment number *actually* is. + my $fake = "$page/_comment_1"; + $body=shift->( + page => $fake, + destpage => $fake, + content => $body, + ); + }); + # In this template, the [[!meta]] directives should stay at the end, # so that they will override anything the user specifies. (For # instance, [[!meta author="I can fake the author"]]...) @@ -268,9 +279,9 @@ sub sessioncgi ($$) { #{{{ # - this means that if they do, rocks fall and everyone dies if ($form->submitted eq PREVIEW) { - # $fake is a location that has the same number of slashes - # as the eventual location of this comment. - my $fake = "$page/_comments_hypothetical"; + # $fake is a possible location for this comment. We don't + # know yet what the comment number *actually* is. + my $fake = "$page/_comment_1"; my $preview = IkiWiki::htmlize($fake, $page, 'mdwn', IkiWiki::linkify($page, $page, IkiWiki::preprocess($page, $page, -- 2.26.2