oh, this is confusing, it needs escaping in <title>, but not when it's used

inline, already escaped there

debian/changelog

@@ -12,9 +12,8 @@ ikiwiki (1.46) unstable; urgency=low
     same time, and let the second person resolve the conflict.
   * Applied a patch from Michał to make the mercurial backend pass --quiet to
     hg.
-  * Fix a few bugs around page titles containing html. The worst of these
+  * Fix a security hole that allowed a web user to insert
-    is an actual security hole as it allows insertion of html into the title
+    arbitrary html in the title of a page due to missing escaping.
-    element of a page, which is not processed by the htmlscrubber.
 
  -- Joey Hess <joeyh@debian.org>  Wed, 21 Mar 2007 01:51:30 -0400
 

po/ikiwiki.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2007-03-21 01:50-0400\n"
+"POT-Creation-Date: 2007-03-21 02:05-0400\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

templates/archivepage.tmpl

@@ -1,5 +1,5 @@
 <p>
-<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE ESCAPE=HTML></a><br />
+<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE></a><br />
 <i>
 Posted <TMPL_VAR CTIME>
 </i>

templates/inlinepage.tmpl

@@ -10,9 +10,9 @@
 </TMPL_IF>
 <span class="header">
 <TMPL_IF NAME="PERMALINK">
-<a href="<TMPL_VAR PERMALINK>"><TMPL_VAR TITLE ESCAPE=HTML></a>
+<a href="<TMPL_VAR PERMALINK>"><TMPL_VAR TITLE></a>
 <TMPL_ELSE>
-<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE ESCAPE=HTML></a>
+<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE></a>
 </TMPL_IF>
 </span>
 <TMPL_VAR CONTENT>

templates/titlepage.tmpl

@@ -1 +1 @@
-<p><a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE ESCAPE=HTML></a></p>
+<p><a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE></a></p>