diff options
| author | Joey Hess <joey@kitenet.net> | 2010-11-12 00:24:52 -0400 |
|---|---|---|
| committer | Joey Hess <joey@kitenet.net> | 2010-11-12 00:24:52 -0400 |
| commit | 0ea5f43790fe2ce3cc40e9513191e72c67a1ee51 (patch) | |
| tree | cc93f28038ddbfe61a6d650e96db1a8ef156b435 | |
| parent | d5056fb61e8332fea658363e931ec28a35681ffe (diff) | |
| download | ikiwiki-0ea5f43790fe2ce3cc40e9513191e72c67a1ee51.tar ikiwiki-0ea5f43790fe2ce3cc40e9513191e72c67a1ee51.tar.gz | |
security issue
| -rw-r--r-- | doc/security.mdwn | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn index 34a005239..33b199247 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -440,3 +440,16 @@ with the release of ikiwiki 3.20100312. A fix was also backported to Debian etch, as version 2.53.5. I recommend upgrading to one of these versions if your wiki can be edited by third parties. + +## javascript insertation via insufficient htmlscrubbing of comments + +Kevin Riggle noticed that it was not possible to configure +`htmlscrubber_skip` to scrub comments while leaving unscubbed the text +of eg, blog posts. Confusingly, setting it to "* and !comment(*)" did not +scrub comments. + +Additionally, it was discovered that comments' html was never scrubbed during +preview or moderation of comments. + +These problems were discovered on 12 November 2010 and fixed the same +hour with the release of ikiwiki 3.20101112. |