X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/1c65ca492295e754dfd9986f91b08eb0876d09b9..98df3c04d652c2b150b5f13c340c5549b6adb350:/doc/security.mdwn diff --git a/doc/security.mdwn b/doc/security.mdwn index 9b561a13e..b1e8d03f6 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -304,3 +304,14 @@ This hole was discovered on 21 March 2007 and fixed the same day (er, hour) with the release of ikiwiki 1.46. A fix was also backported to Debian etch, as version 1.33.2. I recommend upgrading to one of these versions if your wiki allows web editing or aggregates feeds. + +## javascript insertion via meta tags + +It was possible to use the meta plugin's meta tags to insert arbitrary +url contents, which could be used to insert stylesheet information +containing javascript. This was fixed by sanitising meta tags. + +This hole was discovered on 21 March 2007 and fixed the same day +with the release of ikiwiki 1.47. A fix was also backported to Debian etch, +as version 1.33.3. I recommend upgrading to one of these versions if your +wiki can be edited by third parties.