diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/css_market.mdwn | 4 | ||||
| -rw-r--r-- | doc/openid.mdwn | 4 | ||||
| -rw-r--r-- | doc/plugins/meta.mdwn | 45 | ||||
| -rw-r--r-- | doc/security.mdwn | 11 |
4 files changed, 47 insertions, 17 deletions
diff --git a/doc/css_market.mdwn b/doc/css_market.mdwn index 39e04e2d9..15cd6e4c9 100644 --- a/doc/css_market.mdwn +++ b/doc/css_market.mdwn @@ -7,13 +7,13 @@ files..) * **[[css_market/zack.css]]**, contributed by [[StefanoZacchiroli]], customized mostly for *blogging purposes*, can be seen in action on [zack's blog](http://www.bononia.it/~zack/blog/) - [[meta link="css_market/zack.css" rel="alternate stylesheet" title="zack" type="text/css"]] + [[meta stylesheet="zack"]] * **[[css_market/kirkambar.css]]**, contributed by [[Roktas]]. This far from perfect stylesheet follows a [Gitweb](http://www.kernel.org/git/?p=git/git.git;a=tree;f=gitweb) like theme, so it may provide a consistent look'n feel along with the [[git]] backend. ;-) You can see it in action on [kirkambar](http://kirkambar.net/) (Turkish content). - [[meta link="css_market/kirkambar.css" rel="alternate stylesheet" title="kirkambar" type="text/css"]] + [[meta stylesheet="kirkambar"]] If your web browser allows selecting between multiple stylesheets, this page can be viewed using any of the stylesheets above. For example, if diff --git a/doc/openid.mdwn b/doc/openid.mdwn index 5037ac4f7..a8ce46f08 100644 --- a/doc/openid.mdwn +++ b/doc/openid.mdwn @@ -28,5 +28,5 @@ registration process when using OpenID. It's also possible to make a page in the wiki usable as an OpenID url, by delegating it to an openid server. Here's an example of how to do that: - \[[meta link="http://www.myopenid.com/server" rel="openid.server"]] - \[[meta link="http://yourid.myopenid.com/" rel="openid.delegate"]] + \\[[meta openid="http://yourid.myopenid.com/" + server="http://www.myopenid.com/server"]] diff --git a/doc/plugins/meta.mdwn b/doc/plugins/meta.mdwn index 5c3098e56..cebe11f56 100644 --- a/doc/plugins/meta.mdwn +++ b/doc/plugins/meta.mdwn @@ -10,21 +10,25 @@ Enter the metadata as follows: The first form sets a given field to a given value, while the second form also specifies some additional sub-parameters. +The field values are treated as HTML entity-escaped text, so you can include +a quote in the text by writing `"` and so on. + You can use any field names you like, but here are some predefined ones: * link - Specifies a link to another page. This is used to generate a html - <link> tag, and also as a way to make the wiki treat one page as - linking to another without displaying a user-visible link. The latter - can be useful when using links to categorise pages. A html link tag - would look like this: + Specifies a link to another page. This can be used as a way to make the + wiki treat one page as linking to another without displaying a user-visible + [[WikiLink]]: + + \[[meta link=otherpage]] - \[[meta link="foo.css" rel="stylesheet" type="text/css"]] + It can also be used to insert a html <link> tag. For example: - A non-user-visible [[WikiLink]] would instead look like this: + \[[meta link="http://joeyh.myopenid.com/" rel="openid.delegate"]] - \[[meta link=otherpage]] + However, this latter syntax won't be allowed if the [[htmlscrubber]] is + enabled, since it can be used to insert unsafe content. * title @@ -53,9 +57,24 @@ You can use any field names you like, but here are some predefined ones: Specifies the creation date of the page. The date can be entered in nearly any format, since it's parsed by [[cpan TimeDate]]. -If the field is not treated specially (as the link and title fields are), -the metadata will be written to the generated html page as a <meta> -header. +* stylesheet -The field value is treated as HTML entity-escaped text, so you can include -a quote in the text by writing `"` and so on. + Adds a stylesheet to a page. The stylesheet is treated as a wiki link to + a `.css` file in the wiki, so it cannot be used to add links to external + stylesheets. Example: + + \[[meta stylesheet=somestyle rel="alternate stylesheet" + title="somestyle"]] + +* openid + + Adds html <link> tags to perform OpenID delegation to an external + OpenID server. This lets you use an ikiwiki page as your OpenID. Example: + + \\[[meta openid="http://joeyh.myopenid.com/" + server="http://www.myopenid.com/server"]] + +If the field is not one of the above predefined fields, the metadata will be +written to the generated html page as a <meta> header. However, this +won't be allowed if the [[htmlscrubber]] is enabled, since it can be used to +insert unsafe content. diff --git a/doc/security.mdwn b/doc/security.mdwn index 9b561a13e..b1e8d03f6 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -304,3 +304,14 @@ This hole was discovered on 21 March 2007 and fixed the same day (er, hour) with the release of ikiwiki 1.46. A fix was also backported to Debian etch, as version 1.33.2. I recommend upgrading to one of these versions if your wiki allows web editing or aggregates feeds. + +## javascript insertion via meta tags + +It was possible to use the meta plugin's meta tags to insert arbitrary +url contents, which could be used to insert stylesheet information +containing javascript. This was fixed by sanitising meta tags. + +This hole was discovered on 21 March 2007 and fixed the same day +with the release of ikiwiki 1.47. A fix was also backported to Debian etch, +as version 1.33.3. I recommend upgrading to one of these versions if your +wiki can be edited by third parties. |