summaryrefslogtreecommitdiff
path: root/IkiWiki/Plugin
diff options
context:
space:
mode:
authorJoey Hess <joey@kodama.kitenet.net>2008-02-10 17:17:44 -0500
committerJoey Hess <joey@kodama.kitenet.net>2008-02-10 17:17:44 -0500
commitbbcf878f75ee5468c062b0a1569177b66be8001b (patch)
treeef515e0031aefadf5b65aaca9e0a066eed5ab8ef /IkiWiki/Plugin
parent4bfdbd4858bc7842df97902e0bc9bd5d2bef861e (diff)
* meta: Check that the urls provided for authorurl, permalink, and openid
are safe and can't contain javascript.
Diffstat (limited to 'IkiWiki/Plugin')
-rw-r--r--IkiWiki/Plugin/meta.pm27
1 files changed, 21 insertions, 6 deletions
diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm
index 621e87674..74b630afc 100644
--- a/IkiWiki/Plugin/meta.pm
+++ b/IkiWiki/Plugin/meta.pm
@@ -38,6 +38,17 @@ sub scrub ($) { #{{{
}
} #}}}
+sub safeurl ($) { #{{{
+ my $url=shift;
+ if (exists $IkiWiki::Plugin::htmlscrubber::{safe_url_regexp} &&
+ defined $IkiWiki::Plugin::htmlscrubber::safe_url_regexp) {
+ return $url=~/$IkiWiki::Plugin::htmlscrubber::safe_url_regexp/;
+ }
+ else {
+ return 1;
+ }
+} #}}}
+
sub htmlize ($$$) { #{{{
my $page = shift;
my $destpage = shift;
@@ -88,7 +99,7 @@ sub preprocess (@) { #{{{
# fallthorough
}
elsif ($key eq 'authorurl') {
- $pagestate{$page}{meta}{authorurl}=$value;
+ $pagestate{$page}{meta}{authorurl}=$value if safeurl($value);
# fallthrough
}
@@ -106,8 +117,10 @@ sub preprocess (@) { #{{{
}
}
elsif ($key eq 'permalink') {
- $pagestate{$page}{meta}{permalink}=$value;
- push @{$metaheaders{$page}}, scrub('<link rel="bookmark" href="'.encode_entities($value).'" />');
+ if (safeurl($value)) {
+ $pagestate{$page}{meta}{permalink}=$value;
+ push @{$metaheaders{$page}}, scrub('<link rel="bookmark" href="'.encode_entities($value).'" />');
+ }
}
elsif ($key eq 'stylesheet') {
my $rel=exists $params{rel} ? $params{rel} : "alternate stylesheet";
@@ -124,12 +137,14 @@ sub preprocess (@) { #{{{
"\" type=\"text/css\" />";
}
elsif ($key eq 'openid') {
- if (exists $params{server}) {
+ if (exists $params{server} && safeurl($params{server})) {
push @{$metaheaders{$page}}, '<link href="'.encode_entities($params{server}).
'" rel="openid.server" />';
}
- push @{$metaheaders{$page}}, '<link href="'.encode_entities($value).
- '" rel="openid.delegate" />';
+ if (safeurl($value)) {
+ push @{$metaheaders{$page}}, '<link href="'.encode_entities($value).
+ '" rel="openid.delegate" />';
+ }
}
elsif ($key eq 'redir') {
return "" if $page ne $destpage;