It was found that the osm plugin for ikiwiki uses htmlscrubber (if enabled) to sanitize some parameters. Even when it is enabled, it was found that it still does not correctly escape some fields. In particular, the "name" parameter is included verbatim, breaking involuntarily javascript when the name contains a single quote/apostrophe ('). Due to this, javascript code injection might become trivial. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731797
Created ikiwiki tracking bugs for this issue: Affects: fedora-all [bug 1039939]
ikiwiki-3.20140125-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
ikiwiki-3.20140125-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Can we close this ticket?