Patch to re-enable metadata about gollum-lib HOT 5 CLOSED

Would you mind submitting this as a pull request? I think the key and value should be HTML sanitized.

from gollum-lib.

OK, I submitted a pull request.

I did not add the HTML sanitization because I feel that it should be the user of the metadata that decides whether it needs to be sanitized rather than the parser of the metadata. I don't know all the possible use cases for metadata, so maybe it's only meant to be a way of setting bits of the generated HTML in which case always HTML sanitizing the metadata would be OK. OTOH, perhaps the page metadata could be used as a way to specify metadata (either to-be-embedded metadata like "keywords" or formatting metadata like page size/orientation) for a PDF or ePub file generated from a Gollum wiki, in which case one might want "PDF sanitization" instead (if there even is such a thing).

FWIW, setting the page title in Gollum with:

<!-- --- title: My Malicious Title </title><script>alert('hi!');</script> -->

does not result in an alert box being displayed. Instead, the title is displayed as:

My Malicious Title </title><script>alert('hi!');</script>

so it is already being at least HTML-escaped.

from gollum-lib.

Smeagol utilizes the metadata to set a custom layout template. FYI, Smeagol is a tool to serve up a Gollum wiki as a customized read-only website. Thus it allows Gollum to be used as a sort-of light-weight CMS system. So I definitely would like to see this feature return.

I think there is no problem with going ahead with the sanitizing. This was discussed before and I couldn't find any potential example where sanitizing would actually be a problem. Better to error on the side of caution now, and return to the question later if it presents any real issue.

Also note it would be pretty easy to support multi-line entries --just delay adding the entry until the next line has no indention relative to the previous entry's.

from gollum-lib.

Fixed in #30

from gollum-lib.

Ah, awesome. Thanks!

from gollum-lib.