aboutsummaryrefslogtreecommitdiff
path: root/IkiWiki
diff options
context:
space:
mode:
authorjoey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>2007-03-21 18:52:56 +0000
committerjoey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>2007-03-21 18:52:56 +0000
commitc8b4ba354f82fbbcebbbfca65b40a047f9920525 (patch)
tree6dd5bd85031e42da9a3c65d1c5c3f9bfacfdfcda /IkiWiki
parent829d097dc52b6a8f50297406affc67fbc08dccb7 (diff)
downloadikiwiki-c8b4ba354f82fbbcebbbfca65b40a047f9920525.tar
ikiwiki-c8b4ba354f82fbbcebbbfca65b40a047f9920525.tar.gz
* Fix a security hole that allowed insertion of unsafe content via the meta
plugins's support for inserting html link and meta tags. Now such content is passed through the htmlscrubber like everything else. * Unfortunatly, that means that some valid uses of those tags are no longer usable, and special case methods needed to be added for including stylesheets, and for doing openid delegation. If you use either of these in your wiki, it will need to be modified. See the meta plugin docs for details.
Diffstat (limited to 'IkiWiki')
-rw-r--r--IkiWiki/Plugin/meta.pm41
1 files changed, 36 insertions, 5 deletions
diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm
index f71b80fb9..ec7a2d081 100644
--- a/IkiWiki/Plugin/meta.pm
+++ b/IkiWiki/Plugin/meta.pm
@@ -26,6 +26,15 @@ sub filter (@) { #{{{
return $params{content};
} # }}}
+sub scrub ($) { #{{{
+ if (IkiWiki::Plugin::htmlscrubber->can("sanitize")) {
+ return IkiWiki::Plugin::htmlscrubber::sanitize(content => shift);
+ }
+ else {
+ return shift;
+ }
+} #}}}
+
sub preprocess (@) { #{{{
if (! @_) {
return "";
@@ -46,9 +55,9 @@ sub preprocess (@) { #{{{
if ($key eq 'link') {
if (%params) {
- $meta{$page}.="<link href=\"".encode_entities($value)."\" ".
+ $meta{$page}.=scrub("<link href=\"".encode_entities($value)."\" ".
join(" ", map { encode_entities($_)."=\"".encode_entities(decode_entities($params{$_}))."\"" } keys %params).
- " />\n";
+ " />\n");
}
else {
# hidden WikiLink
@@ -60,7 +69,7 @@ sub preprocess (@) { #{{{
}
elsif ($key eq 'permalink') {
$permalink{$page}=$value;
- $meta{$page}.="<link rel=\"bookmark\" href=\"".encode_entities($value)."\" />\n";
+ $meta{$page}.=scrub("<link rel=\"bookmark\" href=\"".encode_entities($value)."\" />\n");
}
elsif ($key eq 'date') {
eval q{use Date::Parse};
@@ -69,9 +78,31 @@ sub preprocess (@) { #{{{
$IkiWiki::pagectime{$page}=$time if defined $time;
}
}
+ elsif ($key eq 'stylesheet') {
+ my $rel=exists $params{rel} ? $params{rel} : "alternate stylesheet";
+ my $title=exists $params{title} ? $params{title} : $value;
+ # adding .css to the value prevents using any old web
+ # editable page as a stylesheet
+ my $stylesheet=bestlink($page, $value.".css");
+ if (! length $stylesheet) {
+ return "[[meta ".gettext("stylesheet not found")."]]";
+ }
+ $meta{$page}.='<link href="'.$stylesheet.
+ '" rel="'.encode_entities($rel).
+ '" title="'.encode_entities($title).
+ "style=\"text/css\" />\n";
+ }
+ elsif ($key eq 'openid') {
+ if (exists $params{server}) {
+ $meta{$page}.='<link href="'.encode_entities($params{server}).
+ "\" rel=\"openid.server\" />\n";
+ }
+ $meta{$page}.='<link href="'.encode_entities($value).
+ "\" rel=\"openid.delegate\" />\n";
+ }
else {
- $meta{$page}.="<meta name=\"".encode_entities($key).
- "\" content=\"".encode_entities($value)."\" />\n";
+ $meta{$page}.=scrub("<meta name=\"".encode_entities($key).
+ "\" content=\"".encode_entities($value)."\" />\n");
if ($key eq 'author') {
$author{$page}=$value;
}