ikiwiki -- javascript insertion via uris

ID 739329C8-D8F0-11DC-AC2F-0016D325A0ED
Type freebsd
Reporter FreeBSD
Modified 2010-05-12T00:00:00


The ikiwiki development team reports:

The htmlscrubber did not block javascript in uris. This was fixed by adding a whitelist of valid uri types, which does not include javascript. Some urls specifyable by the meta plugin could also theoretically have been used to inject javascript; this was also blocked.