* Fix a security hole that allowed insertion of unsafe content via the meta

  plugins's support for inserting html link and meta tags. Now such content
  is passed through the htmlscrubber like everything else.
* Unfortunatly, that means that some valid uses of those tags are no longer
  usable, and special case methods needed to be added for including
  stylesheets, and for doing openid delegation. If you use either of these
  in your wiki, it will need to be modified. See the meta plugin docs
  for details.

4 files changed, 47 insertions, 17 deletions

diff --git a/doc/css_market.mdwn b/doc/css_market.mdwn
index 39e04e2d9..15cd6e4c9 100644
--- a/doc/css_market.mdwn
+++ b/doc/css_market.mdwn
@@ -7,13 +7,13 @@ files..)
 * **[[css_market/zack.css]]**, contributed by [[StefanoZacchiroli]],
   customized mostly for *blogging purposes*, can be seen in action on 
   [zack's blog](http://www.bononia.it/~zack/blog/)
-  [[meta link="css_market/zack.css" rel="alternate stylesheet" title="zack" type="text/css"]]
+  [[meta stylesheet="zack"]]
 
 * **[[css_market/kirkambar.css]]**, contributed by [[Roktas]].  This far from perfect
   stylesheet follows a [Gitweb](http://www.kernel.org/git/?p=git/git.git;a=tree;f=gitweb)
   like theme, so it may provide a consistent look'n feel along with the [[git]] backend. ;-)
   You can see it in action on [kirkambar](http://kirkambar.net/) (Turkish content).
-  [[meta link="css_market/kirkambar.css" rel="alternate stylesheet" title="kirkambar" type="text/css"]]
+  [[meta stylesheet="kirkambar"]]
 
 If your web browser allows selecting between multiple stylesheets, this
 page can be viewed using any of the stylesheets above. For example, if
diff --git a/doc/openid.mdwn b/doc/openid.mdwn
index 5037ac4f7..a8ce46f08 100644
--- a/doc/openid.mdwn
+++ b/doc/openid.mdwn
@@ -28,5 +28,5 @@ registration process when using OpenID.
 It's also possible to make a page in the wiki usable as an OpenID url,
 by delegating it to an openid server. Here's an example of how to do that:
 
-	\[[meta link="http://www.myopenid.com/server" rel="openid.server"]]
-	\[[meta link="http://yourid.myopenid.com/" rel="openid.delegate"]]
+	\\[[meta openid="http://yourid.myopenid.com/"
+	server="http://www.myopenid.com/server"]]
diff --git a/doc/plugins/meta.mdwn b/doc/plugins/meta.mdwn
index 5c3098e56..cebe11f56 100644
--- a/doc/plugins/meta.mdwn
+++ b/doc/plugins/meta.mdwn
@@ -10,21 +10,25 @@ Enter the metadata as follows:
 The first form sets a given field to a given value, while the second form
 also specifies some additional sub-parameters.
 
+The field values are treated as HTML entity-escaped text, so you can include
+a quote in the text by writing `"` and so on.
+
 You can use any field names you like, but here are some predefined ones:
 
 * link
 
-  Specifies a link to another page. This is used to generate a html
-  <link> tag, and also as a way to make the wiki treat one page as
-  linking to another without displaying a user-visible link. The latter 
-  can be useful when using links to categorise pages. A html link tag
-  would look like this:
+  Specifies a link to another page. This can be used as a way to make the
+  wiki treat one page as linking to another without displaying a user-visible
+  [[WikiLink]]:
+
+	\[[meta link=otherpage]]
 
-	\[[meta link="foo.css" rel="stylesheet" type="text/css"]]
+  It can also be used to insert a html <link> tag. For example:
 
-  A non-user-visible [[WikiLink]] would instead look like this:
+  	\[[meta link="http://joeyh.myopenid.com/" rel="openid.delegate"]]
 
-	\[[meta link=otherpage]]
+  However, this latter syntax won't be allowed if the [[htmlscrubber]] is
+  enabled, since it can be used to insert unsafe content.
 
 * title
 
@@ -53,9 +57,24 @@ You can use any field names you like, but here are some predefined ones:
   Specifies the creation date of the page. The date can be entered in
   nearly any format, since it's parsed by [[cpan TimeDate]].
 
-If the field is not treated specially (as the link and title fields are),
-the metadata will be written to the generated html page as a <meta>
-header.
+* stylesheet
 
-The field value is treated as HTML entity-escaped text, so you can include
-a quote in the text by writing `"` and so on.
+  Adds a stylesheet to a page. The stylesheet is treated as a wiki link to
+  a `.css` file in the wiki, so it cannot be used to add links to external
+  stylesheets. Example:
+
+	\[[meta stylesheet=somestyle rel="alternate stylesheet"
+	title="somestyle"]]
+
+* openid
+
+  Adds html <link> tags to perform OpenID delegation to an external
+  OpenID server. This lets you use an ikiwiki page as your OpenID. Example:
+
+  	\\[[meta openid="http://joeyh.myopenid.com/"
+	server="http://www.myopenid.com/server"]]
+
+If the field is not one of the above predefined fields, the metadata will be
+written to the generated html page as a <meta> header. However, this
+won't be allowed if the [[htmlscrubber]] is enabled, since it can be used to
+insert unsafe content.
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 9b561a13e..b1e8d03f6 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -304,3 +304,14 @@ This hole was discovered on 21 March 2007 and fixed the same day (er, hour)
 with the release of ikiwiki 1.46. A fix was also backported to Debian etch,
 as version 1.33.2. I recommend upgrading to one of these versions if your
 wiki allows web editing or aggregates feeds.
+
+## javascript insertion via meta tags
+
+It was possible to use the meta plugin's meta tags to insert arbitrary
+url contents, which could be used to insert stylesheet information
+containing javascript. This was fixed by sanitising meta tags.
+
+This hole was discovered on 21 March 2007 and fixed the same day
+with the release of ikiwiki 1.47. A fix was also backported to Debian etch,
+as version 1.33.3. I recommend upgrading to one of these versions if your
+wiki can be edited by third parties.