From 32ef584dc5abb6ddb9f794f94ea0b2934967bba7 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Wed, 4 May 2016 08:46:02 +0100
Subject: HTML-escape error messages (OVE-20160505-0012)

The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-20160505-0012)

The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.
---
 IkiWiki.pm | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'IkiWiki.pm')

diff --git a/IkiWiki.pm b/IkiWiki.pm
index 0f27ac419..fa71f4791 100644
--- a/IkiWiki.pm
+++ b/IkiWiki.pm
@@ -1647,6 +1647,8 @@ sub preprocess ($$$;$$) {
 				if ($@) {
 					my $error=$@;
 					chomp $error;
+					eval q{use HTML::Entities};
+					$error = encode_entities($error);
 				 	$ret="[[!$command <span class=\"error\">".
 						gettext("Error").": $error"."</span>]]";
 				}
-- 
cgit v1.2.3