* Fix a security hole that allowed insertion of unsafe content via the meta

  plugins's support for inserting html link and meta tags. Now such content
  is passed through the htmlscrubber like everything else.
* Unfortunatly, that means that some valid uses of those tags are no longer
  usable, and special case methods needed to be added for including
  stylesheets, and for doing openid delegation. If you use either of these
  in your wiki, it will need to be modified. See the meta plugin docs
  for details.

1 files changed, 11 insertions, 0 deletions

diff --git a/doc/security.mdwn b/doc/security.mdwn
index 9b561a13e..b1e8d03f6 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -304,3 +304,14 @@ This hole was discovered on 21 March 2007 and fixed the same day (er, hour)
 with the release of ikiwiki 1.46. A fix was also backported to Debian etch,
 as version 1.33.2. I recommend upgrading to one of these versions if your
 wiki allows web editing or aggregates feeds.
+
+## javascript insertion via meta tags
+
+It was possible to use the meta plugin's meta tags to insert arbitrary
+url contents, which could be used to insert stylesheet information
+containing javascript. This was fixed by sanitising meta tags.
+
+This hole was discovered on 21 March 2007 and fixed the same day
+with the release of ikiwiki 1.47. A fix was also backported to Debian etch,
+as version 1.33.3. I recommend upgrading to one of these versions if your
+wiki can be edited by third parties.