-ikiwiki (1.31) UNRELEASED; urgency=low
+ikiwiki (1.33.4) stable-security; urgency=high
+
+ * htmlscrubber security fix: Block javascript in uris. Closes: #465110
+ * meta: Check that the urls provided for authorurl, permalink, and openid
+ are safe and can't contain javascript.
+ * Add htmlscrubber test suite.
+ * Thanks to Josh Triplett for pointing out the holes and for his help
+ in implementing and checking fixes.
+
+ -- Joey Hess <joeyh@debian.org> Sun, 10 Feb 2008 13:34:28 -0500
+
+ikiwiki (1.33.3) testing-proposed-updates; urgency=medium
+
+ * Fix a security hole that allowed insertion of unsafe content via the meta
+ plugins's support for inserting html link and meta tags. Now such content
+ is passed through the htmlscrubber like everything else.
+ * Unfortunatly, that means that some valid uses of those tags are no longer
+ usable, and special case methods needed to be added for including
+ stylesheets, and for doing openid delegation. If you use either of these
+ in your wiki, it will need to be modified. See the meta plugin docs
+ for details.
+
+ -- Joey Hess <joeyh@debian.org> Wed, 21 Mar 2007 14:56:48 -0400
+
+ikiwiki (1.33.2) testing-proposed-updates; urgency=medium
+
+ * Backport fix for a security hole that allowed a web user to insert
+ arbitrary html in the title of a page due to missing escaping of
+ titles in the meta plugin.
+ * Fix examples directory location.
+
+ -- Joey Hess <joeyh@debian.org> Wed, 21 Mar 2007 01:55:02 -0400
+
+ikiwiki (1.33.1) testing-proposed-updates; urgency=medium
+
+ * Backport fix for a security hole that allowed a web user to edit images
+ and other non-page format files in the wiki. To exploit this, the file
+ already had to exist in the wiki, and the web user would need to somehow
+ use the web based editor to replace it with malicious content.
+
+ -- Joey Hess <joeyh@debian.org> Sat, 10 Feb 2007 15:30:12 -0500
+
+ikiwiki (1.33) unstable; urgency=low
+
+ * Fix issue with aggregate plugin updating expired pages.
+ * Avoid syntax errors in templates used by the template plugin crashing
+ ikiwiki.
+ * Enable utf8 file IO in aggregate plugin.
+ * Fix some issues with the new registration form.
+ * Patch from Ethan Glasser Camp to add a skip option to the inline plugin.
+ * Make sure to check for errors from every eval.
+ * Fix img plugin's handling of adding dependencies for images that do not
+ yet exist.
+ * Work around a strange bug in CGI::FormBuilder 3.0401 that makes
+ FORM-SUBMIT unusable on customised formbuilder templates. For now,
+ hardcode the submit buttons in editpage.tmpl instead of using the
+ template variable, which is ok, since the buttons are static.
+ * Work with hyperestraier 1.4.9.
+
+ -- Joey Hess <joeyh@debian.org> Wed, 15 Nov 2006 18:32:26 -0500
+
+ikiwiki (1.32) unstable; urgency=low
+
+ * Add a separate pass to find page links, and only render each page once,
+ instead of over and over. Typical speedup is ~4x. Max possible speedup:
+ 8x.
+ * Add "scan" parameter to hook(), which is used to make the hook be called
+ during the scanning pass, as well as the render pass. The meta and tag
+ plugins need to use the new scan parameter, so will any others that modify
+ %links.
+ * Now that links are calculated in a separate pass, it can also
+ precalculate backlinks in one pass, which is O(N^2) instead of the
+ previous code that was O(N^3). A very nice speedup for wikis with lots
+ (thousands) of pages.
+ * Stylish update to the ikiwiki logo, thanks to Recai Oktaş and Selçuk
+ Erdem.
+ * Add a default stylesheet entry for the pagecloud.
+ * Add examples page with some examples of things that can be done using
+ ikiwiki, like a weblog. The examples can be copied into a user's wiki
+ for a quick start, without needing to learn everything about how to put
+ them together.
+ * Install the source of the examples into /usr/share/doc/ikiwiki/examples.
+ * Add perlmagick to build-depends so syntax check of img plugin works.
+ Closes: #396702
+ * Improve login/register process, the login dialog has only name and
+ password fields, which allows more web browsers to regognise it as a login
+ field, and is less confusing.
+ * Implemented expiry options for aggregate plugin.
+ * Use precalculated backlinks info when determining if files need an update
+ due to a page they link to being added/removed. Mostly significant if
+ there are lots of pages.
+ * Remove duplicate link info when saving index. In some cases it could
+ pile up rather badly. (Probably not the best way to deal with this
+ problem.)
+ * Patch from James Westby to support podcasting, photoblogging, vidcasting,
+ or what have you, by creating enclosures for non-page items that are
+ included in feeds.
+
+ -- Joey Hess <joeyh@debian.org> Fri, 3 Nov 2006 14:46:37 -0500
+
+ikiwiki (1.31) unstable; urgency=low
* Patch from Pawel Tecza to cp -a the templates in the Makefile.
* Change the rss feed title from the wikiname to the page title, with
* Sanitize possibly problimatic characters out of the polygen grammar names,
just in case. Should not be exploitable anyway, since it only tries to run
polygen after finding the specified grammar file.
+ * Add missing dependency on the URI perl module.
+ * Add basic spam fighting tool for admins: An admin's prefs page now allows
+ editing a list of banned users.
- -- Joey Hess <joeyh@debian.org> Sun, 22 Oct 2006 15:47:08 -0400
+ -- Joey Hess <joeyh@debian.org> Fri, 27 Oct 2006 23:16:33 -0400
ikiwiki (1.30) unstable; urgency=low