comments: Fix missing entity encoding in title.

The meta title data set by comments needs to be encoded the same way that
meta encodes it. (NB The security implications of the missing encoding
are small.)

Note that meta's encoding of title, description, and guid data, and not
other data, is probably a special case that should be removed. Instead,
these values should be encoded when used. I have avoided doing so here
because that would mean forcing a wiki rebuild on upgrade to have the data
consitently encoded.

diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm
index 98786f4328412448138f578ae0f04834fec39f98..4603417103c3abdb3e4d16beb6c60c8c90f05118 100644 (file)
--- a/IkiWiki/Plugin/comments.pm
+++ b/IkiWiki/Plugin/comments.pm
@@ -221,7 +221,9 @@ sub preprocess {
        }
 
        if (defined $params{subject}) {
-               $pagestate{$page}{meta}{title} = $params{subject};
+               # encode title the same way meta does
+               eval q{use HTML::Entities};
+               $pagestate{$page}{meta}{title} = HTML::Entities::encode_numeric(decode_entities($params{subject}));
        }
 
        if ($params{page} =~ m/\/\Q$config{comments_pagename}\E\d+_/) {

diff --git a/debian/changelog b/debian/changelog
index b7b6146046537a89273c299fbb3d74b26ffe0e5e..be89d0918f3b282c96f1c876e736eb5974a9479d 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
 ikiwiki (3.20100404) UNRELEASED; urgency=low
 
   * bzr: Fix bzr log parsing to work with bzr 2.0. (liw)
+  * comments: Fix missing entity encoding in title.
 
  -- Joey Hess <joeyh@debian.org>  Sun, 04 Apr 2010 12:17:11 -0400