diff options
| author | joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> | 2007-03-21 18:52:56 +0000 |
|---|---|---|
| committer | joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> | 2007-03-21 18:52:56 +0000 |
| commit | c8b4ba354f82fbbcebbbfca65b40a047f9920525 (patch) | |
| tree | 6dd5bd85031e42da9a3c65d1c5c3f9bfacfdfcda /IkiWiki/Plugin/meta.pm | |
| parent | 829d097dc52b6a8f50297406affc67fbc08dccb7 (diff) | |
| download | ikiwiki-c8b4ba354f82fbbcebbbfca65b40a047f9920525.tar ikiwiki-c8b4ba354f82fbbcebbbfca65b40a047f9920525.tar.gz | |
* Fix a security hole that allowed insertion of unsafe content via the meta
plugins's support for inserting html link and meta tags. Now such content
is passed through the htmlscrubber like everything else.
* Unfortunatly, that means that some valid uses of those tags are no longer
usable, and special case methods needed to be added for including
stylesheets, and for doing openid delegation. If you use either of these
in your wiki, it will need to be modified. See the meta plugin docs
for details.
Diffstat (limited to 'IkiWiki/Plugin/meta.pm')
| -rw-r--r-- | IkiWiki/Plugin/meta.pm | 41 |
1 files changed, 36 insertions, 5 deletions
diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm index f71b80fb9..ec7a2d081 100644 --- a/IkiWiki/Plugin/meta.pm +++ b/IkiWiki/Plugin/meta.pm @@ -26,6 +26,15 @@ sub filter (@) { #{{{ return $params{content}; } # }}} +sub scrub ($) { #{{{ + if (IkiWiki::Plugin::htmlscrubber->can("sanitize")) { + return IkiWiki::Plugin::htmlscrubber::sanitize(content => shift); + } + else { + return shift; + } +} #}}} + sub preprocess (@) { #{{{ if (! @_) { return ""; @@ -46,9 +55,9 @@ sub preprocess (@) { #{{{ if ($key eq 'link') { if (%params) { - $meta{$page}.="<link href=\"".encode_entities($value)."\" ". + $meta{$page}.=scrub("<link href=\"".encode_entities($value)."\" ". join(" ", map { encode_entities($_)."=\"".encode_entities(decode_entities($params{$_}))."\"" } keys %params). - " />\n"; + " />\n"); } else { # hidden WikiLink @@ -60,7 +69,7 @@ sub preprocess (@) { #{{{ } elsif ($key eq 'permalink') { $permalink{$page}=$value; - $meta{$page}.="<link rel=\"bookmark\" href=\"".encode_entities($value)."\" />\n"; + $meta{$page}.=scrub("<link rel=\"bookmark\" href=\"".encode_entities($value)."\" />\n"); } elsif ($key eq 'date') { eval q{use Date::Parse}; @@ -69,9 +78,31 @@ sub preprocess (@) { #{{{ $IkiWiki::pagectime{$page}=$time if defined $time; } } + elsif ($key eq 'stylesheet') { + my $rel=exists $params{rel} ? $params{rel} : "alternate stylesheet"; + my $title=exists $params{title} ? $params{title} : $value; + # adding .css to the value prevents using any old web + # editable page as a stylesheet + my $stylesheet=bestlink($page, $value.".css"); + if (! length $stylesheet) { + return "[[meta ".gettext("stylesheet not found")."]]"; + } + $meta{$page}.='<link href="'.$stylesheet. + '" rel="'.encode_entities($rel). + '" title="'.encode_entities($title). + "style=\"text/css\" />\n"; + } + elsif ($key eq 'openid') { + if (exists $params{server}) { + $meta{$page}.='<link href="'.encode_entities($params{server}). + "\" rel=\"openid.server\" />\n"; + } + $meta{$page}.='<link href="'.encode_entities($value). + "\" rel=\"openid.delegate\" />\n"; + } else { - $meta{$page}.="<meta name=\"".encode_entities($key). - "\" content=\"".encode_entities($value)."\" />\n"; + $meta{$page}.=scrub("<meta name=\"".encode_entities($key). + "\" content=\"".encode_entities($value)."\" />\n"); if ($key eq 'author') { $author{$page}=$value; } |