Latest News

Instiki 0.30.3 (5/30/2020)


  • Cleverly-crafted pages could be cached outside the cache directory (credit to Christian Sattler).

New Features:

  • Ruby 3.0 compatibility
  • Update for itextomml 1.6.1
  • Heroku-related updates
  • Requires Rack 2.x (should make Passenger deployments a lot easier). You’ll definitely need to do a ruby bundle update for this one.
  • You can now [[!include Web name:Some page]], rather than being restricted to including pages from the same web (which still works, of course [[!include Some page]]).
  • Backlinks work in Published webs, and more Views are available (by popular demand).

Bugs Fixed:

  • Caching fixes
  • Well-formedness of the Search page
  • Latest SVG-Edit broke itex plugin
  • Browsers have tightened cookie policy

Instiki 0.30.2 (4/27/2020)

New Features:

  • Further improvements in Tikz output
  • Better handling of long formulas (e.g. on mobile)
  • Compatible with Ruby 2.7
  • Update SVG-Edit to 5.1.0

Bugs Fixed:

  • Heroku works again (and other PostgreSQL installations)
  • Fixed bug in Search Results (reported by ilpssun)

Instiki 0.30.1 (5/9/2019)

New Features:

  • Recently Revised now lists only the last 50 modified pages (instead of all of them)
  • Use Roboto Mono web fonts for code blocks
  • Improve Markdown Help
  • Improve Search page
  • Improve Tikz output
  • Implement proper Tikz support for TeX output
  • SVG-Edit 5.0.0
  • Bundler 2.0.1
  • itextomml 1.6.0

Bugs Fixed:

  • Fix Heroku deployment
  • Additions to Sanitizer
  • Improvements to the test framework

Instiki 0.30.0 (2/28/2019)

New Features:

  • Optionally support \begin{tikzpicture}...\end{tikzpicture} and \begin{tikzcd}...\end{tikzcd} environments. Requires an additional install and then needs to be enabled in config/environments/production.rb.
  • Support Ruby 2.6
  • Much faster saving (eliminate the double-rendering that used to happen every time you saved a page).
  • Bundler 1.17.3
  • itextomml 1.5.8

Bugs Fixed:

  • Trim whitespace from page names (according to David Tanzer, the source of some caching bugs).
  • Update to Nokogiri 1.8.x (required by Windows)

Instiki 0.20.2 (12/21/2018)

New Features:

  • Support Ruby 2.4, 2.5
  • MathJax 2.7.5
  • SVG-Edit 4.2.0
  • Updated Youtube API

Bugs Fixed:

  • Trim whitespace from author names
  • Update to Nokogiri 1.8.x (required by Windows)

Instiki 0.20.1 (12/9/2016)

New Features:

  • Supports both \mathcal{} AND \mathscr{} via itextomml 1.5.5.

Bugs Fixed:

  • Fixes incorrect font-path in 0.20.0

Instiki 0.20.0 (12/7/2016)

New Features:

  • Enable native MathML in Safari 10.1 (or, really, any browser with good-enough MathML support)
  • Bundle the STIX Two fonts (no more user font problems!)
  • MathJax 2.7

Bugs Fixed:

  • Several well-formedness issues fixed
  • Updates to SVG-Edit

Instiki 0.19.8 (5/7/2016)

New Features:

  • Embedding Youtube videos: [[pusX8MuWmbE:youtube]] or [[pusX8MuWmbE | 640 x 390 :youtube]]
  • URL fragments in Wikilinks: [[foo#bar]]
  • More mobile-friendly
  • “Changes” feed
  • Supports Ruby 2.0-2.3
  • Passenger 5 compatibility
  • MathJax 2.6.1
  • SVG-Edit 2.8.1
  • Bundler 1.11.2

Bugs Fixed:

  • Fix some page-expiry bugs
  • Additional spam/XSS protection
  • (Really) enforce POST on some actions
  • Fix session cookie overflow problem
  • Signed cookies

Instiki 0.19.7 (5/18/2014)

New Features:

  • Supports Ruby 2.0 and 2.1
  • itex2MML 1.5.1:
    • readers can access TeX source by
      • double-clicking on a formula (Firefox)
      • using the MathJax contextual menu (other browsers)
    • Several new commands, including \begintoggle{expr1}{expr2}…{exprN}\endtoggle
  • Support for LaTeX [] command (with auto-linking of INSPIRE and MathSciNet Bibtex keys).
  • MathJax 2.3
  • SVG-Edit 2.7.1
  • Rails 2.3.18

Bugs Fixed:

  • Many SVG-Edit and Maruku bugs fixed
  • Maruku is now up to 50% faster
  • Fixed DNSBLcheck
  • Redirect #new to #edit if the page already exists
  • Unvendored several gems

Instiki 0.19.6 (2/7/2013)

This is a security release. Please update as soon as possible.

New Features:

  • SVG-Edit 1.6
  • Rails 2.3.16

Bugs Fixed:

Instiki 0.19.5 (1/10/2013)

This is a security release. Please update as soon as possible.

New Features:

  • MathJax 2.0
  • Rails 2.3.15
  • Support for embedding Wolfram CDF files
  • Extended support for HTML5 audio and video
  • Maruku and file_signature unbundled

Bugs Fixed:

Instiki 0.19.4 (6/26/2012)

New Features:

  • Update for itex2MML 1.4.10
  • Update SVG-Edit
  • Ruby 1.9.3 Compatibility

Bugs Fixed:

  • Fix CVE-2012-2694 and CVE-2012-2695 (Security!)
  • Fix several Markuku bugs
  • Fix several SVG-Edit bugs
  • Don’t escape style_additions
  • Avoid invalid WikiFile links
  • Fix tombstone bug
  • Fix Theorem Environment
  • Better Cache-Sweeping efficiency
  • Fix double-escaping of flash messages

Instiki 0.19.3 (8/31/2011)

New Features:

  • Source view for Revisions
  • Rails updated to 2.3.14 (Security)
  • itextomml updated to 1.4.6
  • Replace REXML with Nokogiri in Maruku and in xhtml_safe_sanitize(). (Huge speedup in rendering long pages)
  • MathJax updated to 1.1a final

Bugs Fixed:

  • Bundler upgraded to 1.0.18
  • Fix null search bug
  • Better text/html serialization (thank you, Nokogiri)
  • Fix Maruku footnote backlink (reported by Shamaoke)
  • Fix Maruku link bug
  • Fix Maruku image title bug
  • Fix Maruku hrule, email address and header bugs
  • Fix Maruku bold-in-italics bug
  • Fix Maruku empty list-item bug

Instiki 0.19.2 (6/11/2011)

New Features:

  • MathJax rendering for non-MathML capable browsers.
  • RedCloth (Textile) upgraded to 4.x (now handled by Bundler).
  • Bundler upgraded to 1.0.7
  • Rails updated to 2.3.11

Bugs Fixed:

  • Redirects and categories of included pages should not be inherited. (Suggestion of Andrew Stacey).
  • Bug in Maruku equation handling (reported by Andrew Stacey).
  • SVG-Edit updates and bug-fixes.
  • Bug in editing S5 slideshows.
  • Unvendor Rack
  • Fix Maruku list-parsing bug (reported by Shamaoke)
  • Validate Web address (Reported by Richard Marquez).
  • Fix a well-formedness bug

Instiki 0.19.1 (10/15/2010)

New Features:

  • WYSIWYG SVG editing (via SVG-edit)

  • One-click S5 templates

  • Itex2MML is now a Rubygem. Latest is itextomml-1.4.5.

  • Rails Metal itex endpoint

  • HTML5 support

  • Support IALs on Markdown list items

  • From the “All” or Category listings, you can export selected pages (in any desired order) to a single LaTeX file.

  • LaTeX export supports \array{} (with no options) and a LaTeX-style optional argument for \sqrt[]{}. The latter requires itextomml 1.4.5 or later.

  • Updated to Rails 2.3.10 and Erubis (now at 2.6.6)

  • Updated for Rack 1.2.1, sqlite3-ruby 1.3.1

  • Manages dependencies using Bundler. Before running Instiki for the first time (and whenever you update), run

    ruby bundle
    ruby bundle exec rake upgrade_instiki

    from the instiki directory.

Bugs Fixed:

  • Works with Ruby 1.9.2
  • Fixed a bug in non-Latin WikiWord processing. (Reported by Alexander Hambug)
  • Fixed Cyrillic WikiWord support.
  • More informative dnsbl lookup responses (suggested by Toby Bartels)
  • Fixed a bug in LaTeX output
  • No longer conflicts with sqlite3-ruby 1.3.x Rubygem
  • Fixed some Category listing bugs
  • Fixed an escaping bug in ‘new’ and ‘edit’ templates. (Reported by Toby Bartels)
  • Allow special characters (’.’, ‘/’, etc) in page names.
  • Fix BlahTeX/PNG path, so equations render in diff and previous revision pages.
  • Fix HTML Export feature so that uploaded files are included, stylesheets load, etc.
  • Uploaded files inclided in Markup Export.
  • Fix Print View, so that uploaded images work.
  • Fix some more Ruby 1.9 isues.
  • Prevent page from being renamed to null.
  • Fix Migration to work under PostgreSQL (from J. Zellman).
  • Updated vendored plugins

Instiki 0.18 (12/27/2009)

New Features:

  • More Syntax colouring modes (‘html’, ‘xml’, ‘ruby’, ‘ansic’, javascript’, ‘sqlite’, ‘yaml’, ‘css’)
  • Source view [suggested by Andrew Stacey].
  • Auto-resizing Textareas scale to fit viewing area.
  • Instiki upgraded to Rails 2.3.5 and Rack 1.1.
  • Now runs on Ruby 1.9.1 and 1.9.2pre. (If you’re running Passenger, version 2.2.8 may be required, to work around a bug in Ruby 1.9.1.)
  • Upgraded for itex2MML 1.3.19 (which works under Ruby 1.9, and has several new feautures, relative to 1.3.15).

Bugs Fixed:

  • Fixed a CSS bug, which screwed up printing (unless you used the “Print” view).

  • Fixed a well-formedness bug in the page-name truncation algorithm [reported by Toby Bartels].

  • Omitted a (seemingly superfluous) javascript hack which causes Gecko-based browsers to request


    when they load an s5 slideshow.

  • Upgraded vendored sqlite3-ruby and rubyzip.

  • Move files when renaming a web (so that links to uploaded files don’t break).

  • Many Ruby 1.9 fixes, including removing the html5lib Sanitizer.

  • Better accessibility.

  • Improved log rotation under Passenger.

Instiki 0.17.3 (10/23/2009)

The most important facet of this release is a small change in the database schema. Previously, people migrating from the default SQLite3 database to MySQL ran the risk of silent data loss, because MySQL had a more strict interpretation of the column types in the database. The new schema will prevent such problems.

 rake upgrade_instiki

will seamlessly upgrade your existing database to the new schema.

New Features:

  • Passenger support (including X-Sendfile support, if the Apache mod_xsendfile module is installed).
  • Update for itex2MML 1.3.15. (You should upgrade your itex2MML to the latest version, too.)

Bugs Fixed:

  • Refactored the Web model (from James Herdman).
  • Clean malformed utf-8 strings, rather than complaining about them.
  • Updated location of Textile help, since _why_the_lucky_stiff left the ‘net.
  • Fixed a TeX rendering bug.
  • Updated list of XHTML+MathML named entities to match W3C Working Draft.
  • Refactored the Sanitizer (speedup).
  • Fix S5 Slideshows for non-root Instiki URLs.
  • Work around a Rails flash bug.
  • Links from published webs should work right (finally?).
  • An important database migration for MySQL users.

Instiki 0.17.2 (9/5/2009)

In addition to the previously-mentioned improvements, this is primarily a security update.

Security: Updated to Rails 2.3.4

New Features:

  • Updated for itex2MML 1.3.10 (supports \rlap{} and \underline{}). You should upgrade that, too.
  • Add a “Create New Page” Link to the Search Page. (Based on an idea by nowa)
  • Updated to Rails 2.3.4

Bugs Fixed:

  • Wikilinks to published webs should be to the published action. This didn’t work right for inter-web links. (Reported by Mike Shulman)
  • Use .size, rather than .length for ActiveRecord associations. A huge memory saving in building the recently_revised page.
  • Refactor the upgrade_instiki rake task, to make it database-agnostic. (Many thanks to James Herdman)
  • Web#files_path and Web#blatex_pngs_path now return Pathname objects. (Thanks, again, to James Herdman)
  • Workaround for Mozilla Bug 449396. (Reported by Andrew Stacey)
  • Correctly set noindex,nofollow on /diff pages.

Dog Days of Summer (8/12/2009)

New features:

  • Syntax colouring (ruby and html) for code blocks.
  • Updated for itex2MML 1.3.9 (supports \rlap). You should upgrade that, too.
  • Add a “Create New Page” Link to the Search Page
  • Updated to Rails

Bugs Fixed:

  • Page-renaming javascript deals correctly with page names containing ampersands, slashes, and other garbage.
  • List of Wanted Pages should not include redirected pages.
  • The Regexp, used in Maruku to detect “email” headers (used, e.g., for S5 slideshow metadata) could, for some inputs, interact badly with Instiki’s Chunk Handler. Fixed.
  • Ensure “rollback” locks page for editing.
  • Generate relative URLs, when possible. (Patch by Dennis Knauf)
  • Expire revisions of an edited page. Use a before_save hook to deal with the situation where a page’s name has been changed.

Version 0.17.0 (6/19/2009)

New features:

  • Ability to rename pages
  • Ability to redirect Wikilinks, using [[!redirect ...]]
  • HTTP 301 redirects, for redirected/renamed pages

Bugs Fixed:

  • Rails gets very unhappy with “.” in page or author names. Make sure that doesn’t happen.
  • Fix a Maruku escaping bug.
  • WEBrick should respond to TERM signals (needed by MacOSX and, perhaps, others).
  • Add a flash message for redirection to “new” page when the target of “show” action is not found.
  • Flash[:info] messages use Web’s colour scheme.
  • Uploaded files in published webs should be accessible

Version 0.16.6 (5/7/2009)

New Features:

  • More colour schemes: blue, brown, scarlet red, and plum. (From Jason Blevins)
  • History Pages: created a history page for each wiki page. Link to it and to the “Diff” page from “Recently Revised”. (from Jason Blevins)
  • Support for SVG clipping paths (requested by Andrew Stacey)
  • Updated for itex2MML 1.3.8. (You should upgrade that, as well.) Support for blackboard bold lowercase letters and digits.

Bugs Fixed:

  • Fixed several bugs in Maruku, where “greedy” regexps could lead to exponential slowdown on certain inputs.
  • Fixed a bug in listing/deleting links to uploaded video and audio files.
  • Fixed some caching bugs.
  • Removed the defunct from anti-spam dnsbl_check lookups.
  • Resolved a conflict between form_spam_protect plugin and IE7. (thanks to Jason Blevins)

Version 0.16.5 (3/16/2009)

  • Based on Rails 2.3.2 (the Rails 2.3 stable release).
  • Support for audio/speex audio files.
  • Updated for itex2MML 1.3.7. (You should upgrade that, as well.)
  • Tests for BlahTeX/PNG (if installed).

Version 0.16.4 (3/5/2009)

New Features:

  • Support for the HTML5 <video> and <audio> elements.

    • <object> and <embed> were forbidden for obvious security reasons. Now you can use <video> to include videos (Ogg/Theora encoded videos only, with .ogg or .ogv extensions) and <audio> to include audio files (Ogg/Vorbis or WAV encodings, with .ogg, .oga or .wav extensions).

    • You can upload videos with


      and audio files with

  • x-sendfile support (Apache with the x-sendfile module or lighttpd). Serving uploaded files is handled by the webserver, freeing up Instiki to handle other requests. See the Proxying page for details.

  • Update to Rails 2.3.1.

  • Add a favicon for Instiki.

  • Add an id for the Icon’s <svg:path> (which makes it reusable).


  • Removed bundled Rack (Rails 2.3.1 comes bundled with Rack 1.0).

  • Add

     config.action_view.cache_template_loading = true

    to production environment.

  • Fix FastCGI bug.

  • Fix WikiWords bug.

  • Fix Caching Problem in 0.16.3. With the patch, it’s no longer necessary that the Instiki directory be owned by the instiki user (yay!).

  • File Upload Fixes.

  • Fix Maruku Hanging Bug.

    • A Maruku-syntax <div> with an unclosed IAL (and, it seems, at least one equation) would cause Instiki to hang. Badly. Requiring a ‘kill -9’ to terminate it. Reverting the OpenDiv and CloseDiv Regexps to my, more simple-minded, versions fixes the problem.

Version 0.16.3 (2/9/2009)

New Features:

  • Added a logo for Instiki.
  • Upgraded to Rail 2.3.0RC1.

Bugs Fixed:

  • Fixed intra-wiki links in published webs.
  • Fixed two bugs introduced by version 0.16.2.

Security: Version 0.16.2 (1/26/2009)

On Webs with file uploads enabled, uploaded files were stored (in version 0.16.1 and earlier) in the public/ directory. This was a security threat. A miscreant could upload a .html file. When a user clicked on the link to the file, it was opened (unsanitized) in the browser.

As of version 0.16.2, uploaded files are stored in the webs/ directory. Now, when the user clicks on the link, the file is sent with the

 Content-Disposition: attachment

header set, which causes the file to be downloaded, rather than opened in the browser. As always, files downloaded from the internets should be treated with caution. At least, this way, they are not automatically opened in the browser.

To move your existing uploaded files to the new location, do a

 rake upgrade_instiki

Other improvements since version 0.16.1 include:

Bug Fixes:

  • Corrected a typo in the file_list view.

  • Fixed the “Backslashes in Included Equations” bug.

  • Hide equations from WikiChunk processing.

    • Doesn’t seem to work for inline equations: a bug.
  • Fix a cosmetic issue with equation numbering.

  • Exporting a Web as a .zip archive now supports XHTML export.

New Feature:

  • Added links to referring pages in the file_list view.

Version 0.16.1 (1/10/2009)

Bug Fixes:

  • WikiWords can start with Multiple capital letters (better matches what other implementations do).
  • More cache-expiry fixes
  • Clean up detritus from deleting a page.
  • Eliminate the bug-ridden GCI.unescapeHTML, in favour of our own routine.

New Features:

  • Interface (actually, two interfaces) for managing uploaded files.
  • Webs which use the Textile, RDoc and Mixed text filter engines are now sent as text/html. Which makes using those “legacy” filters practical on this branch of Instiki.

Version 0.16 (12/24/2008)

Version 0.16 released.

Various Fixes (12/23/2008)

Bug Fixes:

  • Allow single-letter WikiLinks ([[a]]) and single-letter Includes ([[!include a]]).
  • Make @import in Stylesheet Tweaks work in published view.
  • Redirect back to “Create New Web” form when password was entered incorrectly.
  • Fix for recursive [[!include …]] directives. This was a longstanding (and, IMHO, rather serious) Instiki bug.
  • Weird interaction between NoWiki and Include chunks fixed.
  • In the Edit Web interface, when setting a password for the Web, the “Password” field must actually match the “Verify” field. Previously, the “Verify” field was a placebo.
  • Uploaded pictures now display in Published mode.
  • Make anti-spam features a little less obtrusive:
    • fix some over-eager spam_patterns
    • be more parsimonious in doing dnsbl lookups
  • When encountering an Instiki::ValidationError, avoid wherever possible throwing away the user’s new content.
  • Drop hostname from cache key. Should lead to many fewer stale cached pages.
  • Other miscellaneous code improvements.

New Features:

Various Fixes (12/9/2008)

Bug Fixes:

  • Worked around a “bug” in the HTML5lib Sanitizer, which could lead to ill-formed content in <nowiki> blocks.
  • Inter-Web links now work correctly.
  • Feeds page is now accessible on Published Webs.
  • Fixed longstanding bug, whereby flash messages were cached.
  • Modifying a page expires the cache of all pages that include that page.
  • Fixed an issue in the Sanitizer.

New Features:

  • Added an interface to delete a Web.
  • Added an interface to delete orphaned pages by category.

Rails 2.2.2 (11/24/2008)

Instiki is now running on Rails 2.2.2.

Rails 2.2.0 (10/26/2008)

  • Instiki is now running on Rails 2.2.0, which incorporates some security fixes.
  • Fixed a couple of bugs in the upgrade process.

Theorem Environments (10/20/2008)

Released version 0.15, incorporating Theorem-like Environments.

IE7+MathPlayer (8/20/2008)

Fixed a longstanding bug with IE7+MathPlayer. Instiki now works with that browser/plugin combination.

Rails 2.1 (6/1/2008)

  • Instiki is now running on Rails 2.1.
  • A couple of bugfixes.

Rails Update (5/21/2008)

  • Instiki is now running on the latest candidate release of Rails, 2.1 RC1 (aka 2.0.991).
  • I’ve also been working at improving Instiki’s performance. The latest version, with a new sanitizer, is significantly faster than previously. It’s worth upgrading, just for the speed boost.

Security: XSS Vulnerability (3/15/2008)

A critical XSS vulnerability has been found in Instiki. Please update!

Mongrel (1/17/2008)

  • I fixed a bunch of annoying bugs. See the log for details.
  • We now bundle the latest REXML.
  • This installation now runs on Mongrel, rather than WEBrick. There are updated instructions, should you want to do the same.

Rails 2.0.2 (1/3/2008)

  • Instiki is now based on Rails 2.0.2.
  • Made a bunch of fixes to better ensure well-formedness. (Thanks to Philip Taylor and Henri Sivonen for beating on the application to uncover these issues.)
  • Various other fixes and improvements.

SVG in Equations

Enhanced support for embedding SVG in itex equations. This requires itex2MML 1.3 or later.

New Version (10/15/2007)

It’s time to bump the version number.

  • Many improvements (some performance-related).
  • A security fix (see revision 169).
  • We’ve also migrated to Rails 1.2.5.

TeX Export (10/4/2007)

Much-improved LaTeX export (the little “TeX” link at the bottom of the page). Many thanks to Jason Blevins for his hard work on this.

S5 Themes (9/2/2007)

Instiki now sports S5 Theme support.

Security Update (9/2/2007)

  • Security: Unsafe handling of categories and of <nowiki> led to cross-site scripting vulnerabilities. Please update.

Real XHTML in Safari (7/26/2007)

  • Finally managed to get real XHTML S5 slideshows to work in Safari. So you can now use SVG in your slideshows for that browser.

Under the Hood (5/25/2007)

  • Etags (If-None-Match) and Conditional GET (If-Modified-Since) support (via a modified version of the action_cache plugin)
  • Switched to HTML5lib-based sanitizer.
  • Synced with latest version of main Instiki and Maruku.

Recent Fixes (3/30/2007)

  • Log Rotations
  • Upgrade to Rails 1.2.3
  • XML-safe output (for non-MathML-aware XHTML clients): ported MathML::Entities to Ruby and use it to filter output
  • Send S5 slideshows to Safari as text/html. Safari’s DOM support is rather broken for real XHTML.

BZR Feed (3/12/2007)

If you are tracking developments in this branch of Instiki via the BZR Repository, now there’s an easy way to keep abreast. The Repository has its own Atom feed. Subscribe, and you will be automatically informed of updates to the software. The same is true of the BZR Repository for itex2MML and its Atom feed.

Recent Fixes (3/10/2007)

Lots of bugfixes, and a few minor features additions.

  • S5 views are now visible on a published (password protected) Web. (See this example) [From Jason Blevins]
  • Methods in WikiReferences now restrict themselves (properly) to the current Web. [From Jason Blevins]
  • File uploads now work.
  • Security: ensure file upload directory is not world-writable.
  • Enabled file-system-based caching. (Should be more scalable than the in-memory caching.)
  • Security: ensure that the file-system cache is not world-writable (a security flaw in Rails).
  • Category list and recently_revised views now work properly.
  • Cache S5, TeX and Print views.
  • Deal correctly with clients that don’t send an HTTP_ACCEPT header.
  • Ensure that input is bona fide utf-8.
  • Other well-formedness issues.
  • Improvements to the S5 code.
  • Maruku bugfixes. [From Andrea Censi]
  • Minor improvements from the Instiki SVN trunk.

Minor Update (3/2/2007)

This branch of Instiki is in constant development, so I won’t make a practice of announcing each and every minor improvement. But XHTML well-formedness is a priority and I fixed a well-formedness issue in the “Rollback” function today.

You can grab the update either as a tarball or via BZR.

S5 Support (3/1/2007)

There are still a few bugs, but my branch of Instiki is now S5-enabled. Any page in the category S5-slideshow has a new “View.” Scroll to the bottom of the page and click on “S5” to view the slide show. S5 is cool, in its own right. But MathML and SVG in S5 is beyond cool. And Maruku provides a drop-dead simple authoring environment.

Check out the sample slide show.

XSS Vulnerability in Instiki (2/27/2007)

A Cross-Site-Scripting vulnerability has been found in Instiki. This is a serious flaw, allowing visitors to an unpatched Instiki Wiki to inject malicious javascript onto your Wiki. Please upgrade to the latest version.

More details about the vulnerability can be found in this blog post.