From: Simon McVittie
Date: Tue, 18 Nov 2008 10:29:16 +0000 (+0000)
Subject: comments: sanitize the body of each comment before posting it
X-Git-Tag: 2.71~134
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/ebe140201ed53ee4f8cf5998c69e20d5fef2ad16?ds=inline;hp=-c
comments: sanitize the body of each comment before posting it
This should ensure that users can't "break out" from the enclosing
, making it impossible to forge comments (assuming htmlscrubber
is enabled, and so is either htmlbalance or htmltidy).
---
ebe140201ed53ee4f8cf5998c69e20d5fef2ad16
diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm
index 9359e9487..c545a1335 100644
--- a/IkiWiki/Plugin/comments.pm
+++ b/IkiWiki/Plugin/comments.pm
@@ -250,6 +250,17 @@ sub sessioncgi ($$) { #{{{
$body =~ s/>/>/g;
}
+ IkiWiki::run_hooks(sanitize => sub {
+ # $fake is a possible location for this comment. We don't
+ # know yet what the comment number *actually* is.
+ my $fake = "$page/_comment_1";
+ $body=shift->(
+ page => $fake,
+ destpage => $fake,
+ content => $body,
+ );
+ });
+
# In this template, the [[!meta]] directives should stay at the end,
# so that they will override anything the user specifies. (For
# instance, [[!meta author="I can fake the author"]]...)
@@ -268,9 +279,9 @@ sub sessioncgi ($$) { #{{{
# - this means that if they do, rocks fall and everyone dies
if ($form->submitted eq PREVIEW) {
- # $fake is a location that has the same number of slashes
- # as the eventual location of this comment.
- my $fake = "$page/_comments_hypothetical";
+ # $fake is a possible location for this comment. We don't
+ # know yet what the comment number *actually* is.
+ my $fake = "$page/_comment_1";
my $preview = IkiWiki::htmlize($fake, $page, 'mdwn',
IkiWiki::linkify($page, $page,
IkiWiki::preprocess($page, $page,