X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/blobdiff_plain/26bf69d17aff4c74dd6c368712091d8c1fc977a6..76bccd9b70d29c900306587d566e9e3343c084f3:/doc/bugs/some_but_not_all_meta_fields_are_stored_escaped.mdwn diff --git a/doc/bugs/some_but_not_all_meta_fields_are_stored_escaped.mdwn b/doc/bugs/some_but_not_all_meta_fields_are_stored_escaped.mdwn index d79318dd8..587771ba4 100644 --- a/doc/bugs/some_but_not_all_meta_fields_are_stored_escaped.mdwn +++ b/doc/bugs/some_but_not_all_meta_fields_are_stored_escaped.mdwn @@ -1,10 +1,11 @@ [[!template id=gitbranch branch=smcv/unescaped-meta author="[[Simon_McVittie|smcv]]"]] +[[!tag patch]] (Warning: this branch has not been tested thoroughly.) While discussing the [[plugins/meta]] plugin on IRC, Joey pointed out that it stores most meta fields unescaped, but 'title', 'guid' and 'description' are special-cased and stored escaped (with numeric XML/HTML entities). This -is to avoid emitting markup in the of a HTML page, or in an RSS/Atom +is to avoid emitting markup in the `<title>` of a HTML page, or in an RSS/Atom feed, neither of which are subject to the [[plugins/htmlscrubber]]. However, having the meta fields "partially escaped" like this is somewhat @@ -19,6 +20,9 @@ Points of extra subtlety: that that's what Xapian wants anyway (which is why I didn't change it), but I could be wrong... + > AFAICS, this if anything, fixes a bug, xapian definitely expects + > unescaped text here. --[[Joey]] + * Page descriptions in the HTML `<head>` were previously double-escaped: the description was stored escaped with numeric entities, then that was output with a second layer of escaping! In this branch, I just emit @@ -30,3 +34,11 @@ Points of extra subtlety: double-escaped on any page that inlines them in `quick=yes` mode, and is rebuilt for some other reason. The failure mode is too much escaping rather than too little, so it shouldn't be a security problem. + +* Reverting this change, if applied, is more dangerous; until the wiki is + rebuilt, any titles, descriptions and GUIDs on unchanged pages that + contained markup could appear unescaped on any page that inlines them + in `quick=yes` mode, and is rebuilt for some other reason. The failure + mode here would be too little escaping, i.e. cross-site scripting. + +[[!tag done]]