oh, this is confusing, it needs escaping in <title>, but not when it's used

inline, already escaped there
author: joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> 2007-03-21 06:22:06 +0000
committer: joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> 2007-03-21 06:22:06 +0000
commit: 03e54381556d95b7d6bcbc8eb5442e40c0537c09 (patch)
tree: 099d1a9061ea27bdcdab1ff95446f4f7b966b89c /debian
parent: 1c65ca492295e754dfd9986f91b08eb0876d09b9 (diff)
download: ikiwiki-03e54381556d95b7d6bcbc8eb5442e40c0537c09.tar
ikiwiki-03e54381556d95b7d6bcbc8eb5442e40c0537c09.tar.gz
1 files changed, 2 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog
index 5934958ce..86815828a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,9 +12,8 @@ ikiwiki (1.46) unstable; urgency=low
     same time, and let the second person resolve the conflict.
   * Applied a patch from Michał to make the mercurial backend pass --quiet to
     hg.
-  * Fix a few bugs around page titles containing html. The worst of these
-    is an actual security hole as it allows insertion of html into the title
-    element of a page, which is not processed by the htmlscrubber.
+  * Fix a security hole that allowed a web user to insert
+    arbitrary html in the title of a page due to missing escaping.
 
  -- Joey Hess <joeyh@debian.org>  Wed, 21 Mar 2007 01:51:30 -0400
author	joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>	2007-03-21 06:22:06 +0000
committer	joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>	2007-03-21 06:22:06 +0000
commit	03e54381556d95b7d6bcbc8eb5442e40c0537c09 (patch)
tree	099d1a9061ea27bdcdab1ff95446f4f7b966b89c /debian
parent	1c65ca492295e754dfd9986f91b08eb0876d09b9 (diff)
download	ikiwiki-03e54381556d95b7d6bcbc8eb5442e40c0537c09.tar ikiwiki-03e54381556d95b7d6bcbc8eb5442e40c0537c09.tar.gz