meta: Security fix; don't allow alternative stylesheets to be added on pages where the htmlscrubber is enabled.

author: Joey Hess <joey@kitenet.net> 2011-03-28 12:21:12 -0400
committer: Joey Hess <joey@kitenet.net> 2011-03-28 12:21:12 -0400
commit: be02a80b7a19f3c33a8ea42c0750d94e0a91206f (patch)
tree: 1ffc2ec9905bf2662c9766d95e96430959ef2d2d /IkiWiki
parent: a0e31f38d55f659ed9ef07ce16482308807435f8 (diff)
download: ikiwiki-be02a80b7a19f3c33a8ea42c0750d94e0a91206f.tar
ikiwiki-be02a80b7a19f3c33a8ea42c0750d94e0a91206f.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm
index ad6d1a8e3..1a9f94a12 100644
--- a/IkiWiki/Plugin/meta.pm
+++ b/IkiWiki/Plugin/meta.pm
@@ -174,10 +174,10 @@ sub preprocess (@) {
 		if (! length $stylesheet) {
 			error gettext("stylesheet not found")
 		}
-		push @{$metaheaders{$page}}, '<link href="'.urlto($stylesheet, $page).
+		push @{$metaheaders{$page}}, scrub('<link href="'.urlto($stylesheet, $page).
 			'" rel="'.encode_entities($rel).
 			'" title="'.encode_entities($title).
-			"\" type=\"text/css\" />";
+			"\" type=\"text/css\" />", $page, $destpage);
 	}
 	elsif ($key eq 'openid') {
 		my $delegate=0; # both by default
author	Joey Hess <joey@kitenet.net>	2011-03-28 12:21:12 -0400
committer	Joey Hess <joey@kitenet.net>	2011-03-28 12:21:12 -0400
commit	be02a80b7a19f3c33a8ea42c0750d94e0a91206f (patch)
tree	1ffc2ec9905bf2662c9766d95e96430959ef2d2d /IkiWiki
parent	a0e31f38d55f659ed9ef07ce16482308807435f8 (diff)
download	ikiwiki-be02a80b7a19f3c33a8ea42c0750d94e0a91206f.tar ikiwiki-be02a80b7a19f3c33a8ea42c0750d94e0a91206f.tar.gz