From 54541869392f162bb195b8b67814ef0a394c1961 Mon Sep 17 00:00:00 2001
From: joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>
Date: Fri, 2 Jun 2006 06:11:22 +0000
Subject: meta headers are not sanitised; prevent html leaking into them

---
 IkiWiki/Plugin/meta.pm | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'IkiWiki')

diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm
index 8244cf718..41d096e0e 100644
--- a/IkiWiki/Plugin/meta.pm
+++ b/IkiWiki/Plugin/meta.pm
@@ -27,11 +27,13 @@ sub preprocess (@) { #{{{
 	my $page=$params{page};
 	delete $params{page};
 
+	eval q{use CGI 'escapeHTML'};
+
 	if ($key eq 'link') {
 		if (%params) {
 			$meta{$page}='' unless exists $meta{$page};
-			$meta{$page}.="<link href=\"$value\" ".
-				join(" ", map { "$_=\"$params{$_}\"" } keys %params).
+			$meta{$page}.="<link href=\"".escapeHTML($value)."\" ".
+				join(" ", map { escapeHTML("$_=\"$params{$_}\"") } keys %params).
 				" />\n";
 		}
 		else {
@@ -40,11 +42,11 @@ sub preprocess (@) { #{{{
 		}
 	}
 	elsif ($key eq 'title') {
-		$title{$page}=$value;
+		$title{$page}=escapeHTML($value);
 	}
 	else {
 		$meta{$page}='' unless exists $meta{$page};
-		$meta{$page}.="<meta name=\"$key\" content=\"$value\" />\n";
+		$meta{$page}.="<meta name=\"".escapeHTML($key)."\" content=\"".escapeHTML($value)."\" />\n";
 	}
 
 	return "";
-- 
cgit v1.2.3