X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/26bf69d17aff4c74dd6c368712091d8c1fc977a6..a42de69fbb3e775dd407d24bf90534a07219710a:/doc/bugs/some_but_not_all_meta_fields_are_stored_escaped.mdwn?ds=sidebyside
diff --git a/doc/bugs/some_but_not_all_meta_fields_are_stored_escaped.mdwn b/doc/bugs/some_but_not_all_meta_fields_are_stored_escaped.mdwn
index d79318dd8..587771ba4 100644
--- a/doc/bugs/some_but_not_all_meta_fields_are_stored_escaped.mdwn
+++ b/doc/bugs/some_but_not_all_meta_fields_are_stored_escaped.mdwn
@@ -1,10 +1,11 @@
[[!template id=gitbranch branch=smcv/unescaped-meta author="[[Simon_McVittie|smcv]]"]]
+[[!tag patch]]
(Warning: this branch has not been tested thoroughly.)
While discussing the [[plugins/meta]] plugin on IRC, Joey pointed out that
it stores most meta fields unescaped, but 'title', 'guid' and 'description'
are special-cased and stored escaped (with numeric XML/HTML entities). This
-is to avoid emitting markup in the
of a HTML page, or in an RSS/Atom
+is to avoid emitting markup in the `` of a HTML page, or in an RSS/Atom
feed, neither of which are subject to the [[plugins/htmlscrubber]].
However, having the meta fields "partially escaped" like this is somewhat
@@ -19,6 +20,9 @@ Points of extra subtlety:
that that's what Xapian wants anyway (which is why I didn't change it),
but I could be wrong...
+ > AFAICS, this if anything, fixes a bug, xapian definitely expects
+ > unescaped text here. --[[Joey]]
+
* Page descriptions in the HTML `` were previously double-escaped:
the description was stored escaped with numeric entities, then that was
output with a second layer of escaping! In this branch, I just emit
@@ -30,3 +34,11 @@ Points of extra subtlety:
double-escaped on any page that inlines them in `quick=yes` mode, and
is rebuilt for some other reason. The failure mode is too much escaping
rather than too little, so it shouldn't be a security problem.
+
+* Reverting this change, if applied, is more dangerous; until the wiki is
+ rebuilt, any titles, descriptions and GUIDs on unchanged pages that
+ contained markup could appear unescaped on any page that inlines them
+ in `quick=yes` mode, and is rebuilt for some other reason. The failure
+ mode here would be too little escaping, i.e. cross-site scripting.
+
+[[!tag done]]