web commit by http://id.inelegant.org/: First pass at user documentation.

[ikiwiki.git] / doc / security.mdwn

diff --git a/doc/security.mdwn b/doc/security.mdwn
index 9b561a13eb80f30592758727f171b9467d082c3e..b1e8d03f6549caec92fe43e831361032c766a5cf 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -304,3 +304,14 @@ This hole was discovered on 21 March 2007 and fixed the same day (er, hour)
 with the release of ikiwiki 1.46. A fix was also backported to Debian etch,
 as version 1.33.2. I recommend upgrading to one of these versions if your
 wiki allows web editing or aggregates feeds.
+
+## javascript insertion via meta tags
+
+It was possible to use the meta plugin's meta tags to insert arbitrary
+url contents, which could be used to insert stylesheet information
+containing javascript. This was fixed by sanitising meta tags.
+
+This hole was discovered on 21 March 2007 and fixed the same day
+with the release of ikiwiki 1.47. A fix was also backported to Debian etch,
+as version 1.33.3. I recommend upgrading to one of these versions if your
+wiki can be edited by third parties.