diff options
| author | Joey Hess <joey@kodama.kitenet.net> | 2008-02-10 17:17:44 -0500 |
|---|---|---|
| committer | Joey Hess <joey@kodama.kitenet.net> | 2008-02-10 17:17:44 -0500 |
| commit | bbcf878f75ee5468c062b0a1569177b66be8001b (patch) | |
| tree | ef515e0031aefadf5b65aaca9e0a066eed5ab8ef /IkiWiki/Plugin | |
| parent | 4bfdbd4858bc7842df97902e0bc9bd5d2bef861e (diff) | |
* meta: Check that the urls provided for authorurl, permalink, and openid
are safe and can't contain javascript.
Diffstat (limited to 'IkiWiki/Plugin')
| -rw-r--r-- | IkiWiki/Plugin/meta.pm | 27 |
1 files changed, 21 insertions, 6 deletions
diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm index 621e87674..74b630afc 100644 --- a/IkiWiki/Plugin/meta.pm +++ b/IkiWiki/Plugin/meta.pm @@ -38,6 +38,17 @@ sub scrub ($) { #{{{ } } #}}} +sub safeurl ($) { #{{{ + my $url=shift; + if (exists $IkiWiki::Plugin::htmlscrubber::{safe_url_regexp} && + defined $IkiWiki::Plugin::htmlscrubber::safe_url_regexp) { + return $url=~/$IkiWiki::Plugin::htmlscrubber::safe_url_regexp/; + } + else { + return 1; + } +} #}}} + sub htmlize ($$$) { #{{{ my $page = shift; my $destpage = shift; @@ -88,7 +99,7 @@ sub preprocess (@) { #{{{ # fallthorough } elsif ($key eq 'authorurl') { - $pagestate{$page}{meta}{authorurl}=$value; + $pagestate{$page}{meta}{authorurl}=$value if safeurl($value); # fallthrough } @@ -106,8 +117,10 @@ sub preprocess (@) { #{{{ } } elsif ($key eq 'permalink') { - $pagestate{$page}{meta}{permalink}=$value; - push @{$metaheaders{$page}}, scrub('<link rel="bookmark" href="'.encode_entities($value).'" />'); + if (safeurl($value)) { + $pagestate{$page}{meta}{permalink}=$value; + push @{$metaheaders{$page}}, scrub('<link rel="bookmark" href="'.encode_entities($value).'" />'); + } } elsif ($key eq 'stylesheet') { my $rel=exists $params{rel} ? $params{rel} : "alternate stylesheet"; @@ -124,12 +137,14 @@ sub preprocess (@) { #{{{ "\" type=\"text/css\" />"; } elsif ($key eq 'openid') { - if (exists $params{server}) { + if (exists $params{server} && safeurl($params{server})) { push @{$metaheaders{$page}}, '<link href="'.encode_entities($params{server}). '" rel="openid.server" />'; } - push @{$metaheaders{$page}}, '<link href="'.encode_entities($value). - '" rel="openid.delegate" />'; + if (safeurl($value)) { + push @{$metaheaders{$page}}, '<link href="'.encode_entities($value). + '" rel="openid.delegate" />'; + } } elsif ($key eq 'redir') { return "" if $page ne $destpage; |