summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjoey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>2007-03-21 06:46:06 +0000
committerjoey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>2007-03-21 06:46:06 +0000
commit72ed9e455c0cb697bd01a2a44b4b63820774cc35 (patch)
treee61e2df280af03ba0f3c7f7041d850e893bb2e2e
parentaf63a2ebff201be7173a296aeabfc2713461c543 (diff)
the real bug turned out to be in the meta plugin
-rw-r--r--IkiWiki/Plugin/meta.pm2
-rw-r--r--debian/changelog4
-rw-r--r--po/ikiwiki.pot2
-rw-r--r--templates/page.tmpl2
4 files changed, 5 insertions, 5 deletions
diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm
index d624757ba..f71b80fb9 100644
--- a/IkiWiki/Plugin/meta.pm
+++ b/IkiWiki/Plugin/meta.pm
@@ -56,7 +56,7 @@ sub preprocess (@) { #{{{
}
}
elsif ($key eq 'title') {
- $title{$page}=$value;
+ $title{$page}=encode_entities($value);
}
elsif ($key eq 'permalink') {
$permalink{$page}=$value;
diff --git a/debian/changelog b/debian/changelog
index 86815828a..976143aee 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,8 +12,8 @@ ikiwiki (1.46) unstable; urgency=low
same time, and let the second person resolve the conflict.
* Applied a patch from MichaƂ to make the mercurial backend pass --quiet to
hg.
- * Fix a security hole that allowed a web user to insert
- arbitrary html in the title of a page due to missing escaping.
+ * Fix a security hole that allowed a web user to insert arbitrary html in
+ the title of a page due to missing escaping of titles in the meta plugin.
-- Joey Hess <joeyh@debian.org> Wed, 21 Mar 2007 01:51:30 -0400
diff --git a/po/ikiwiki.pot b/po/ikiwiki.pot
index d4760ed3f..2af2804ae 100644
--- a/po/ikiwiki.pot
+++ b/po/ikiwiki.pot
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2007-03-21 02:05-0400\n"
+"POT-Creation-Date: 2007-03-21 02:42-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
diff --git a/templates/page.tmpl b/templates/page.tmpl
index ba6fb8c60..471ed1a7d 100644
--- a/templates/page.tmpl
+++ b/templates/page.tmpl
@@ -3,7 +3,7 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-<title><TMPL_VAR TITLE ESCAPE=HTML></title>
+<title><TMPL_VAR TITLE></title>
<link rel="stylesheet" href="<TMPL_VAR BASEURL>style.css" type="text/css" />
<link rel="stylesheet" href="<TMPL_VAR BASEURL>local.css" type="text/css" />
<TMPL_IF NAME="FAVICON">