wikitools_decode_page_name() should really escape $page_name with check_plain() or something else, because it won't display characters like < or > properly. For example, I want to create a wiki for HTML. See what wikipath/

does to the website! (using Garland theme) I don't know if this can be a security problem though.
CommentFileSizeAuthor
#2 252218-2.patch768 bytesjpmckinney

Comments

Leonth’s picture

The 2nd sentence should be: See what wikipath/<iframe> does to the website! (using Garland theme)

jpmckinney’s picture

Status: Active » Needs review
StatusFileSize
new768 bytes

Indeed a bug. Also, XSS vulnerability?

jpmckinney’s picture

Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.