the real bug turned out to be in the meta plugin

IkiWiki/Plugin/meta.pm

@@ -56,7 +56,7 @@ sub preprocess (@) { #{{{
 		}
 	}
 	elsif ($key eq 'title') {
-		$title{$page}=$value;
+		$title{$page}=encode_entities($value);
 	}
 	elsif ($key eq 'permalink') {
 		$permalink{$page}=$value;

debian/changelog

@@ -12,8 +12,8 @@ ikiwiki (1.46) unstable; urgency=low
     same time, and let the second person resolve the conflict.
   * Applied a patch from Michał to make the mercurial backend pass --quiet to
     hg.
-  * Fix a security hole that allowed a web user to insert
-    arbitrary html in the title of a page due to missing escaping.
+  * Fix a security hole that allowed a web user to insert arbitrary html in
+    the title of a page due to missing escaping of titles in the meta plugin.
 
  -- Joey Hess <joeyh@debian.org>  Wed, 21 Mar 2007 01:51:30 -0400
 

po/ikiwiki.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2007-03-21 02:05-0400\n"
+"POT-Creation-Date: 2007-03-21 02:42-0400\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

templates/page.tmpl

@@ -3,7 +3,7 @@
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-<title><TMPL_VAR TITLE ESCAPE=HTML></title>
+<title><TMPL_VAR TITLE></title>
 <link rel="stylesheet" href="<TMPL_VAR BASEURL>style.css" type="text/css" />
 <link rel="stylesheet" href="<TMPL_VAR BASEURL>local.css" type="text/css" />
 <TMPL_IF NAME="FAVICON">