document security fix

[ikiwiki.git] / doc / security.mdwn

diff --git a/doc/security.mdwn b/doc/security.mdwn
index 6e1d56a52e76c92a50a6a48d66293f5b3a3022d4..d834aa1a5e726deb51790fb5454d58cf77407db5 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -341,7 +341,17 @@ There are at least two configurations where this is exploitable:
   notice.
 
 This security hole was discovered on 26 November 2007 and fixed the same
-da with the release of ikiwiki 2.14. I recommend upgrading to this version
+day with the release of ikiwiki 2.14. I recommend upgrading to this version
 if your wiki can be committed to by third parties. Alternatively, don't use
 a trailing slash in the srcdir, and avoid the (unusual) configurations that
 allow the security hole to be exploited.
+
+## javascript insertion via uris
+
+The htmlscrubber did not block javascript in uris. This was fixed by adding
+a whitelist of valid uri types, which does not include javascript.
+
+This hole was discovered on 10 February 2008 and fixed the same day
+with the release of ikiwiki 2.31.1. A fix was also backported to Debian etch,
+as version 1.33.4. I recommend upgrading to one of these versions if your
+wiki can be edited by third parties.