From fbfcea89f8e06426c73ab8ea369ca4cdc566db6f Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kitenet.net>
Date: Wed, 16 May 2012 19:54:41 -0400
Subject: meta: Security fix; add missing sanitization of author and authorurl.
 Thanks, Raúl Benencia
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 IkiWiki/Plugin/meta.pm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'IkiWiki')

diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm
index b19ea2b32..c79c8ccc0 100644
--- a/IkiWiki/Plugin/meta.pm
+++ b/IkiWiki/Plugin/meta.pm
@@ -318,8 +318,8 @@ sub pagetemplate (@) {
 		$template->param(title_overridden => 1);
 	}
 
-	foreach my $field (qw{author authorurl}) {
-		$template->param($field => $pagestate{$page}{meta}{$field})
+	foreach my $field (qw{authorurl}) {
+		$template->param($field => HTML::Entities::encode_entities($pagestate{$page}{meta}{$field}))
 			if exists $pagestate{$page}{meta}{$field} && $template->query(name => $field);
 	}
 
@@ -330,7 +330,7 @@ sub pagetemplate (@) {
 		}
 	}
 
-	foreach my $field (qw{description}) {
+	foreach my $field (qw{description author}) {
 		eval q{use HTML::Entities};
 		$template->param($field => HTML::Entities::encode_numeric($pagestate{$page}{meta}{$field}))
 			if exists $pagestate{$page}{meta}{$field} && $template->query(name => $field);
-- 
cgit v1.2.3