From 72ed9e455c0cb697bd01a2a44b4b63820774cc35 Mon Sep 17 00:00:00 2001 From: joey Date: Wed, 21 Mar 2007 06:46:06 +0000 Subject: [PATCH] the real bug turned out to be in the meta plugin --- IkiWiki/Plugin/meta.pm | 2 +- debian/changelog | 4 ++-- po/ikiwiki.pot | 2 +- templates/page.tmpl | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm index d624757ba..f71b80fb9 100644 --- a/IkiWiki/Plugin/meta.pm +++ b/IkiWiki/Plugin/meta.pm @@ -56,7 +56,7 @@ sub preprocess (@) { #{{{ } } elsif ($key eq 'title') { - $title{$page}=$value; + $title{$page}=encode_entities($value); } elsif ($key eq 'permalink') { $permalink{$page}=$value; diff --git a/debian/changelog b/debian/changelog index 86815828a..976143aee 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,8 +12,8 @@ ikiwiki (1.46) unstable; urgency=low same time, and let the second person resolve the conflict. * Applied a patch from Michał to make the mercurial backend pass --quiet to hg. - * Fix a security hole that allowed a web user to insert - arbitrary html in the title of a page due to missing escaping. + * Fix a security hole that allowed a web user to insert arbitrary html in + the title of a page due to missing escaping of titles in the meta plugin. -- Joey Hess Wed, 21 Mar 2007 01:51:30 -0400 diff --git a/po/ikiwiki.pot b/po/ikiwiki.pot index d4760ed3f..2af2804ae 100644 --- a/po/ikiwiki.pot +++ b/po/ikiwiki.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-03-21 02:05-0400\n" +"POT-Creation-Date: 2007-03-21 02:42-0400\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" diff --git a/templates/page.tmpl b/templates/page.tmpl index ba6fb8c60..471ed1a7d 100644 --- a/templates/page.tmpl +++ b/templates/page.tmpl @@ -3,7 +3,7 @@ -<TMPL_VAR TITLE ESCAPE=HTML> +<TMPL_VAR TITLE> -- 2.26.2