$template->param(title_overridden => 1);
}
- foreach my $field (qw{author authorurl permalink}) {
- $template->param($field => $pagestate{$page}{meta}{$field})
+ foreach my $field (qw{authorurl permalink}) {
+ $template->param($field => HTML::Entities::encode_entities($pagestate{$page}{meta}{$field}))
if exists $pagestate{$page}{meta}{$field} && $template->query(name => $field);
}
- foreach my $field (qw{description}) {
+ foreach my $field (qw{description author}) {
+ eval q{use HTML::Entities};
$template->param($field => HTML::Entities::encode_numeric($pagestate{$page}{meta}{$field}))
if exists $pagestate{$page}{meta}{$field} && $template->query(name => $field);
}
+ikiwiki (3.20100815.9) stable-security; urgency=high
+
+ * meta: Security fix; add missing sanitization of author and authorurl.
+ CVE-2012-0220 Thanks, Raúl Benencia
+
+ -- Joey Hess <joeyh@debian.org> Wed, 16 May 2012 19:51:27 -0400
+
ikiwiki (3.20100815.8) stable-security; urgency=low
* ikiwiki-mass-rebuild: Fix tty hijacking vulnerability by using su.