X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/blobdiff_plain/1c65ca492295e754dfd9986f91b08eb0876d09b9..1ecd251ffa28f851273654599f2d05c4bd552e16:/debian/changelog

diff --git a/debian/changelog b/debian/changelog
index 5934958ce..8ad4ab502 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+ikiwiki (1.47) unstable; urgency=low
+
+  * Fix a security hole that allowed insertion of unsafe content via the meta
+    plugins's support for inserting html link and meta tags. Now such content
+    is passed through the htmlscrubber like everything else.
+  * Unfortunatly, that means that some valid uses of those tags are no longer
+    usable, and special case methods needed to be added for including
+    stylesheets, and for doing openid delegation. If you use either of these
+    in your wiki, it will need to be modified. See the meta plugin docs
+    for details.
+
+ -- Joey Hess <joeyh@debian.org>  Wed, 21 Mar 2007 14:05:00 -0400
+
 ikiwiki (1.46) unstable; urgency=low
 
   * Fix a bug with inlined create page links, including Discussion links on
@@ -12,9 +25,8 @@ ikiwiki (1.46) unstable; urgency=low
     same time, and let the second person resolve the conflict.
   * Applied a patch from Michał to make the mercurial backend pass --quiet to
     hg.
-  * Fix a few bugs around page titles containing html. The worst of these
-    is an actual security hole as it allows insertion of html into the title
-    element of a page, which is not processed by the htmlscrubber.
+  * Fix a security hole that allowed a web user to insert arbitrary html in
+    the title of a page due to missing escaping of titles in the meta plugin.
 
  -- Joey Hess <joeyh@debian.org>  Wed, 21 Mar 2007 01:51:30 -0400