X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/blobdiff_plain/1c65ca492295e754dfd9986f91b08eb0876d09b9..d9e0abdd13f2dcc3eacafc9d8be4367c8c46bdff:/doc/security.mdwn

diff --git a/doc/security.mdwn b/doc/security.mdwn
index 9b561a13e..b1e8d03f6 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -304,3 +304,14 @@ This hole was discovered on 21 March 2007 and fixed the same day (er, hour)
 with the release of ikiwiki 1.46. A fix was also backported to Debian etch,
 as version 1.33.2. I recommend upgrading to one of these versions if your
 wiki allows web editing or aggregates feeds.
+
+## javascript insertion via meta tags
+
+It was possible to use the meta plugin's meta tags to insert arbitrary
+url contents, which could be used to insert stylesheet information
+containing javascript. This was fixed by sanitising meta tags.
+
+This hole was discovered on 21 March 2007 and fixed the same day
+with the release of ikiwiki 1.47. A fix was also backported to Debian etch,
+as version 1.33.3. I recommend upgrading to one of these versions if your
+wiki can be edited by third parties.