From 54541869392f162bb195b8b67814ef0a394c1961 Mon Sep 17 00:00:00 2001 From: joey Date: Fri, 2 Jun 2006 06:11:22 +0000 Subject: [PATCH] meta headers are not sanitised; prevent html leaking into them --- IkiWiki/Plugin/meta.pm | 10 ++++++---- doc/plugins/meta.mdwn | 6 ++---- doc/plugins/write.mdwn | 18 +++++++++--------- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm index 8244cf718..41d096e0e 100644 --- a/IkiWiki/Plugin/meta.pm +++ b/IkiWiki/Plugin/meta.pm @@ -27,11 +27,13 @@ sub preprocess (@) { #{{{ my $page=$params{page}; delete $params{page}; + eval q{use CGI 'escapeHTML'}; + if ($key eq 'link') { if (%params) { $meta{$page}='' unless exists $meta{$page}; - $meta{$page}.="\n"; } else { @@ -40,11 +42,11 @@ sub preprocess (@) { #{{{ } } elsif ($key eq 'title') { - $title{$page}=$value; + $title{$page}=escapeHTML($value); } else { $meta{$page}='' unless exists $meta{$page}; - $meta{$page}.="\n"; + $meta{$page}.="\n"; } return ""; diff --git a/doc/plugins/meta.mdwn b/doc/plugins/meta.mdwn index 371713a31..998dd5d86 100644 --- a/doc/plugins/meta.mdwn +++ b/doc/plugins/meta.mdwn @@ -1,4 +1,6 @@ This plugin allows inserting arbitrary metadata into the source of a page. +This plugin is not enabled by default. If it is enabled, the title of this +page will say it is. [[meta title="meta plugin (enabled)"]] Enter the metadata as follows: \\[[meta field="value"]] @@ -39,7 +41,3 @@ You can use any field names you like, but here are some predefined ones: If the field is not treated specially (as the link and title fields are), the metadata will be written to the generated html page as a <meta> header. - -This plugin is not enabled by default. If it is enabled, the title of this -page will say it is. -[[meta title="meta plugin (enabled)"]] diff --git a/doc/plugins/write.mdwn b/doc/plugins/write.mdwn index b2b7c6ff8..515c4d90d 100644 --- a/doc/plugins/write.mdwn +++ b/doc/plugins/write.mdwn @@ -79,15 +79,6 @@ Runs on the raw source of a page, before anything else touches it, and can make arbitrary changes. The function is passed named parameters `page` and `content` and should return the filtered content. -## sanitize - - IkiWiki::hook(type => "filter", id => "foo", call => \&sanitize); - -Use this to implement html sanitization or anything else that needs to -modify the content of a page after it has been fully converted to html. -The function is passed the page content and should return the sanitized -content. - ## pagetemplate IkiWiki::hook(type => "pagetemplate", id => "foo", call => \&pagetemplate); @@ -99,6 +90,15 @@ be used to generate the page. It can manipulate that template, the most common thing to do is probably to call $template->param() to add a new custom parameter to the template. +## sanitize + + IkiWiki::hook(type => "sanitize", id => "foo", call => \&sanitize); + +Use this to implement html sanitization or anything else that needs to +modify the content of a page after it has been fully converted to html. +The function is passed the page content and should return the sanitized +content. + ## delete IkiWiki::hook(type => "delete", id => "foo", call => \&dele); -- 2.39.5