From: joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>
Date: Fri, 2 Jun 2006 06:11:22 +0000 (+0000)
Subject: meta headers are not sanitised; prevent html leaking into them
X-Git-Tag: 1.5~19
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/54541869392f162bb195b8b67814ef0a394c1961?hp=03867bf323fda5d582a53341f8f1a0a3460d76d6

meta headers are not sanitised; prevent html leaking into them
---

diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm
index 8244cf718..41d096e0e 100644
--- a/IkiWiki/Plugin/meta.pm
+++ b/IkiWiki/Plugin/meta.pm
@@ -27,11 +27,13 @@ sub preprocess (@) { #{{{
 	my $page=$params{page};
 	delete $params{page};
 
+	eval q{use CGI 'escapeHTML'};
+
 	if ($key eq 'link') {
 		if (%params) {
 			$meta{$page}='' unless exists $meta{$page};
-			$meta{$page}.="<link href=\"$value\" ".
-				join(" ", map { "$_=\"$params{$_}\"" } keys %params).
+			$meta{$page}.="<link href=\"".escapeHTML($value)."\" ".
+				join(" ", map { escapeHTML("$_=\"$params{$_}\"") } keys %params).
 				" />\n";
 		}
 		else {
@@ -40,11 +42,11 @@ sub preprocess (@) { #{{{
 		}
 	}
 	elsif ($key eq 'title') {
-		$title{$page}=$value;
+		$title{$page}=escapeHTML($value);
 	}
 	else {
 		$meta{$page}='' unless exists $meta{$page};
-		$meta{$page}.="<meta name=\"$key\" content=\"$value\" />\n";
+		$meta{$page}.="<meta name=\"".escapeHTML($key)."\" content=\"".escapeHTML($value)."\" />\n";
 	}
 
 	return "";
diff --git a/doc/plugins/meta.mdwn b/doc/plugins/meta.mdwn
index 371713a31..998dd5d86 100644
--- a/doc/plugins/meta.mdwn
+++ b/doc/plugins/meta.mdwn
@@ -1,4 +1,6 @@
 This plugin allows inserting arbitrary metadata into the source of a page.
+This plugin is not enabled by default. If it is enabled, the title of this
+page will say it is. [[meta title="meta plugin (enabled)"]]
 Enter the metadata as follows:
 
 	\\[[meta field="value"]]
@@ -39,7 +41,3 @@ You can use any field names you like, but here are some predefined ones:
 If the field is not treated specially (as the link and title fields are),
 the metadata will be written to the generated html page as a &lt;meta&gt;
 header.
-
-This plugin is not enabled by default. If it is enabled, the title of this
-page will say it is.
-[[meta title="meta plugin (enabled)"]]
diff --git a/doc/plugins/write.mdwn b/doc/plugins/write.mdwn
index b2b7c6ff8..515c4d90d 100644
--- a/doc/plugins/write.mdwn
+++ b/doc/plugins/write.mdwn
@@ -79,15 +79,6 @@ Runs on the raw source of a page, before anything else touches it, and can
 make arbitrary changes. The function is passed named parameters `page` and
 `content` and should return the filtered content.
 
-## sanitize
-
-	IkiWiki::hook(type => "filter", id => "foo", call => \&sanitize);
-
-Use this to implement html sanitization or anything else that needs to
-modify the content of a page after it has been fully converted to html.
-The function is passed the page content and should return the sanitized
-content.
-
 ## pagetemplate
 
 	IkiWiki::hook(type => "pagetemplate", id => "foo", call => \&pagetemplate);
@@ -99,6 +90,15 @@ be used to generate the page. It can manipulate that template, the most
 common thing to do is probably to call $template->param() to add a new
 custom parameter to the template.
 
+## sanitize
+
+	IkiWiki::hook(type => "sanitize", id => "foo", call => \&sanitize);
+
+Use this to implement html sanitization or anything else that needs to
+modify the content of a page after it has been fully converted to html.
+The function is passed the page content and should return the sanitized
+content.
+
 ## delete
 
 	IkiWiki::hook(type => "delete", id => "foo", call => \&dele);