A similar cross site scripting (XSS) problem is exploitable in the handling of windowshares and external links, too. To fix this problem as well, two lines need to be inserted in the _formatLink() function in inc/parser/xhtml.php around line 881:
$link['title'] = str_replace('&','&',$link['title']);
// The following two lines need to be inserted:
$link['url'] = strtr($link['url'],array('>'=>'%3E','<'=>'%3C','"'=>'%22'));
$link['title'] = strtr($link['title'],array('>'=>'>','<'=>'<','"'=>'"'));
$ret = '';
$ret .= $link['pre'];
Both fixes were added to the downloadable archive of Release 2005-09-22 at
http://www.splitbrain.org/go/dokuwiki