meta: Security fix; add missing sanitization of author and authorurl. Thanks, Raúl...

[git.ikiwiki.info.git] / IkiWiki / Plugin / meta.pm

diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm
index c33c8b23882f7e23c8114d67c7ecd388666475e3..ef949f22e06f626cbefd6e4f748248792415b601 100644 (file)
--- a/IkiWiki/Plugin/meta.pm
+++ b/IkiWiki/Plugin/meta.pm
@@ -288,12 +288,13 @@ sub pagetemplate (@) {
                $template->param(title_overridden => 1);
        }
 
-       foreach my $field (qw{author authorurl permalink}) {
-               $template->param($field => $pagestate{$page}{meta}{$field})
+       foreach my $field (qw{authorurl permalink}) {
+               $template->param($field => HTML::Entities::encode_entities($pagestate{$page}{meta}{$field}))
                        if exists $pagestate{$page}{meta}{$field} && $template->query(name => $field);
        }
 
-       foreach my $field (qw{description}) {
+       foreach my $field (qw{description author}) {
+               eval q{use HTML::Entities};
                $template->param($field => HTML::Entities::encode_numeric($pagestate{$page}{meta}{$field}))
                        if exists $pagestate{$page}{meta}{$field} && $template->query(name => $field);
        }