urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

meta headers are not sanitised; prevent html leaking into them

master
joey 2006-06-02 06:11:22 +00:00
parent 03867bf323
commit 5454186939
3 changed files with 17 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
IkiWiki/Plugin/meta.pm
View File

@ -27,11 +27,13 @@ sub preprocess (@) { #{{{
my $page=$params{page}; my $page=$params{page};
delete $params{page}; delete $params{page};
eval q{use CGI 'escapeHTML'};
if ($key eq 'link') { if ($key eq 'link') {
if (%params) { if (%params) {
$meta{$page}='' unless exists $meta{$page}; $meta{$page}='' unless exists $meta{$page};
$meta{$page}.="<link href=\"$value\" ". $meta{$page}.="<link href=\"".escapeHTML($value)."\" ".
join(" ", map { "$_=\"$params{$_}\"" } keys %params). join(" ", map { escapeHTML("$_=\"$params{$_}\"") } keys %params).
" />\n"; " />\n";
} }
else { else {
@ -40,11 +42,11 @@ sub preprocess (@) { #{{{
} }
} }
elsif ($key eq 'title') { elsif ($key eq 'title') {
$title{$page}=$value; $title{$page}=escapeHTML($value);
} }
else { else {
$meta{$page}='' unless exists $meta{$page}; $meta{$page}='' unless exists $meta{$page};
$meta{$page}.="<meta name=\"$key\" content=\"$value\" />\n"; $meta{$page}.="<meta name=\"".escapeHTML($key)."\" content=\"".escapeHTML($value)."\" />\n";
} }
return ""; return "";

6
doc/plugins/meta.mdwn
View File

@ -1,4 +1,6 @@
This plugin allows inserting arbitrary metadata into the source of a page. This plugin allows inserting arbitrary metadata into the source of a page.
This plugin is not enabled by default. If it is enabled, the title of this
page will say it is. [[meta title="meta plugin (enabled)"]]
Enter the metadata as follows: Enter the metadata as follows:
\\[[meta field="value"]] \\[[meta field="value"]]
@ -39,7 +41,3 @@ You can use any field names you like, but here are some predefined ones:
If the field is not treated specially (as the link and title fields are), If the field is not treated specially (as the link and title fields are),
the metadata will be written to the generated html page as a &lt;meta&gt; the metadata will be written to the generated html page as a &lt;meta&gt;
header. header.
This plugin is not enabled by default. If it is enabled, the title of this
page will say it is.
[[meta title="meta plugin (enabled)"]]

18
doc/plugins/write.mdwn
View File

@ -79,15 +79,6 @@ Runs on the raw source of a page, before anything else touches it, and can
make arbitrary changes. The function is passed named parameters `page` and make arbitrary changes. The function is passed named parameters `page` and
`content` and should return the filtered content. `content` and should return the filtered content.
## sanitize
IkiWiki::hook(type => "filter", id => "foo", call => \&sanitize);
Use this to implement html sanitization or anything else that needs to
modify the content of a page after it has been fully converted to html.
The function is passed the page content and should return the sanitized
content.
## pagetemplate ## pagetemplate
IkiWiki::hook(type => "pagetemplate", id => "foo", call => \&pagetemplate); IkiWiki::hook(type => "pagetemplate", id => "foo", call => \&pagetemplate);
@ -99,6 +90,15 @@ be used to generate the page. It can manipulate that template, the most
common thing to do is probably to call $template->param() to add a new common thing to do is probably to call $template->param() to add a new
custom parameter to the template. custom parameter to the template.
## sanitize
IkiWiki::hook(type => "sanitize", id => "foo", call => \&sanitize);
Use this to implement html sanitization or anything else that needs to
modify the content of a page after it has been fully converted to html.
The function is passed the page content and should return the sanitized
content.
## delete ## delete
IkiWiki::hook(type => "delete", id => "foo", call => \&dele); IkiWiki::hook(type => "delete", id => "foo", call => \&dele);