comments: sanitize the body of each comment before posting it

This should ensure that users can't "break out" from the enclosing
<div>, making it impossible to forge comments (assuming htmlscrubber
is enabled, and so is either htmlbalance or htmltidy).

1 files changed, 14 insertions, 3 deletions

diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm
index 9359e9487..c545a1335 100644
--- a/IkiWiki/Plugin/comments.pm
+++ b/IkiWiki/Plugin/comments.pm
@@ -250,6 +250,17 @@ sub sessioncgi ($$) { #{{{
 		$body =~ s/>/>/g;
 	}
 
+	IkiWiki::run_hooks(sanitize => sub {
+		# $fake is a possible location for this comment. We don't
+		# know yet what the comment number *actually* is.
+		my $fake = "$page/_comment_1";
+		$body=shift->(
+			page => $fake,
+			destpage => $fake,
+			content => $body,
+		);
+	});
+
 	# In this template, the [[!meta]] directives should stay at the end,
 	# so that they will override anything the user specifies. (For
 	# instance, [[!meta author="I can fake the author"]]...)
@@ -268,9 +279,9 @@ sub sessioncgi ($$) { #{{{
 	# - this means that if they do, rocks fall and everyone dies
 
 	if ($form->submitted eq PREVIEW) {
-		# $fake is a location that has the same number of slashes
-		# as the eventual location of this comment.
-		my $fake = "$page/_comments_hypothetical";
+		# $fake is a possible location for this comment. We don't
+		# know yet what the comment number *actually* is.
+		my $fake = "$page/_comment_1";
 		my $preview = IkiWiki::htmlize($fake, $page, 'mdwn',
 				IkiWiki::linkify($page, $page,
 					IkiWiki::preprocess($page, $page,