summaryrefslogtreecommitdiff
path: root/IkiWiki/Plugin
diff options
context:
space:
mode:
authorJoey Hess <joey@kitenet.net>2011-03-28 12:21:12 -0400
committerJoey Hess <joey@kitenet.net>2011-03-28 12:21:12 -0400
commitbe02a80b7a19f3c33a8ea42c0750d94e0a91206f (patch)
tree1ffc2ec9905bf2662c9766d95e96430959ef2d2d /IkiWiki/Plugin
parenta0e31f38d55f659ed9ef07ce16482308807435f8 (diff)
meta: Security fix; don't allow alternative stylesheets to be added on pages where the htmlscrubber is enabled.
Diffstat (limited to 'IkiWiki/Plugin')
-rw-r--r--IkiWiki/Plugin/meta.pm4
1 files changed, 2 insertions, 2 deletions
diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm
index ad6d1a8e3..1a9f94a12 100644
--- a/IkiWiki/Plugin/meta.pm
+++ b/IkiWiki/Plugin/meta.pm
@@ -174,10 +174,10 @@ sub preprocess (@) {
if (! length $stylesheet) {
error gettext("stylesheet not found")
}
- push @{$metaheaders{$page}}, '<link href="'.urlto($stylesheet, $page).
+ push @{$metaheaders{$page}}, scrub('<link href="'.urlto($stylesheet, $page).
'" rel="'.encode_entities($rel).
'" title="'.encode_entities($title).
- "\" type=\"text/css\" />";
+ "\" type=\"text/css\" />", $page, $destpage);
}
elsif ($key eq 'openid') {
my $delegate=0; # both by default