The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-
20160505-0012, CVE-2016-4561)
The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.
if ($@) {
my $error=$@;
chomp $error;
+ eval q{use HTML::Entities};
+ $error = encode_entities($error);
$ret="[[!$command <span class=\"error\">".
gettext("Error").": $error"."</span>]]";
}
sub cgierror ($) {
my $message=shift;
+ eval q{use HTML::Entities};
+ $message = encode_entities($message);
+
print "Content-type: text/html\n\n";
print cgitemplate(undef, gettext("Error"),
"<p class=\"error\">".gettext("Error").": $message</p>");
+ikiwiki (3.20120629.3) UNRELEASED; urgency=medium
+
+ * HTML-escape error messages, in one case avoiding potential cross-site
+ scripting (CVE-2016-4561, OVE-20160505-0012)
+
+ -- Simon McVittie <smcv@debian.org> Sun, 08 May 2016 15:33:51 +0100
+
ikiwiki (3.20120629.2) wheezy; urgency=medium
[ Joey Hess ]