From 03e54381556d95b7d6bcbc8eb5442e40c0537c09 Mon Sep 17 00:00:00 2001 From: joey Date: Wed, 21 Mar 2007 06:22:06 +0000 Subject: [PATCH] oh, this is confusing, it needs escaping in , but not when it's used inline, already escaped there --- debian/changelog | 5 ++--- po/ikiwiki.pot | 2 +- templates/archivepage.tmpl | 2 +- templates/inlinepage.tmpl | 4 ++-- templates/titlepage.tmpl | 2 +- 5 files changed, 7 insertions(+), 8 deletions(-) diff --git a/debian/changelog b/debian/changelog index 5934958ce..86815828a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,9 +12,8 @@ ikiwiki (1.46) unstable; urgency=low same time, and let the second person resolve the conflict. * Applied a patch from Michał to make the mercurial backend pass --quiet to hg. - * Fix a few bugs around page titles containing html. The worst of these - is an actual security hole as it allows insertion of html into the title - element of a page, which is not processed by the htmlscrubber. + * Fix a security hole that allowed a web user to insert + arbitrary html in the title of a page due to missing escaping. -- Joey Hess <joeyh@debian.org> Wed, 21 Mar 2007 01:51:30 -0400 diff --git a/po/ikiwiki.pot b/po/ikiwiki.pot index 8f223571b..d4760ed3f 100644 --- a/po/ikiwiki.pot +++ b/po/ikiwiki.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-03-21 01:50-0400\n" +"POT-Creation-Date: 2007-03-21 02:05-0400\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <LL@li.org>\n" diff --git a/templates/archivepage.tmpl b/templates/archivepage.tmpl index 7e8b8b8fc..6bc789dfb 100644 --- a/templates/archivepage.tmpl +++ b/templates/archivepage.tmpl @@ -1,5 +1,5 @@ <p> -<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE ESCAPE=HTML></a><br /> +<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE></a><br /> <i> Posted <TMPL_VAR CTIME> </i> diff --git a/templates/inlinepage.tmpl b/templates/inlinepage.tmpl index f1f21d4be..0317c248c 100644 --- a/templates/inlinepage.tmpl +++ b/templates/inlinepage.tmpl @@ -10,9 +10,9 @@ </TMPL_IF> <span class="header"> <TMPL_IF NAME="PERMALINK"> -<a href="<TMPL_VAR PERMALINK>"><TMPL_VAR TITLE ESCAPE=HTML></a> +<a href="<TMPL_VAR PERMALINK>"><TMPL_VAR TITLE></a> <TMPL_ELSE> -<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE ESCAPE=HTML></a> +<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE></a> </TMPL_IF> </span> <TMPL_VAR CONTENT> diff --git a/templates/titlepage.tmpl b/templates/titlepage.tmpl index 0676a098e..f5cd5bc53 100644 --- a/templates/titlepage.tmpl +++ b/templates/titlepage.tmpl @@ -1 +1 @@ -<p><a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE ESCAPE=HTML></a></p> +<p><a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE></a></p> -- 2.44.0