document security fix

The backported fix for stable is tagged and waiting for the security team to upload.
author: Joey Hess <joey@kodama.kitenet.net> 2008-02-10 14:00:00 -0500
committer: Joey Hess <joey@kodama.kitenet.net> 2008-02-10 14:00:00 -0500
commit: 4e791ed69565eafd3d130528a32a385be3f1686c (patch)
tree: 91f5aa0a868ade4415b670ef4c0d49fd3167240f
parent: ab04d07733b7d708067e71ef8d4b39b47028d473 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn
index c51cd5b95..d834aa1a5 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -345,3 +345,13 @@ day with the release of ikiwiki 2.14. I recommend upgrading to this version
 if your wiki can be committed to by third parties. Alternatively, don't use
 a trailing slash in the srcdir, and avoid the (unusual) configurations that
 allow the security hole to be exploited.
+
+## javascript insertion via uris
+
+The htmlscrubber did not block javascript in uris. This was fixed by adding
+a whitelist of valid uri types, which does not include javascript.
+
+This hole was discovered on 10 February 2008 and fixed the same day
+with the release of ikiwiki 2.31.1. A fix was also backported to Debian etch,
+as version 1.33.4. I recommend upgrading to one of these versions if your
+wiki can be edited by third parties.
author	Joey Hess <joey@kodama.kitenet.net>	2008-02-10 14:00:00 -0500
committer	Joey Hess <joey@kodama.kitenet.net>	2008-02-10 14:00:00 -0500
commit	4e791ed69565eafd3d130528a32a385be3f1686c (patch)
tree	91f5aa0a868ade4415b670ef4c0d49fd3167240f
parent	ab04d07733b7d708067e71ef8d4b39b47028d473 (diff)