X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/blobdiff_plain/2ea8fbe2d9691d48b007bd0404dd77ae4bd3c9c7..a18e304e39a085c91b97c06ecb82f76ec37a0bc4:/doc/security.mdwn

diff --git a/doc/security.mdwn b/doc/security.mdwn
index 65ebfd7b2..dc763ef40 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -145,6 +145,13 @@ with a username containing html code (anymore).
 It's difficult to know for sure if all such avenues have really been
 closed though.
 
+## HTML::Template security
+
+If the [[plugins/template]] plugin is enabled, users can modify templates
+like any other part of the wiki. This assumes that HTML::Template is secure
+when used with untrusted/malicious templates. (Note that includes are not
+allowed, so that's not a problem.)
+
 ----
 
 # Fixed holes
@@ -242,7 +249,7 @@ ikiwiki escapes any html in svn commit logs to prevent other mischief.
 ## XML::Parser
 
 XML::Parser is used by the aggregation plugin, and has some security holes. 
-#[378411](http://bugs.debian.org/378411) does not
+Bug #[378411](http://bugs.debian.org/378411) does not
 seem to affect our use, since the data is not encoded as utf-8 at that
 point. #[378412](http://bugs.debian.org/378412) could affect us, although it
 doesn't seem very exploitable. It has a simple fix, and has been fixed in