Made the web escaping of additional characters a configuration setting.

3 files changed, 38 insertions, 12 deletions

diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in
index ef8bdd3b..5c42e5e9 100644
--- a/Mailman/Defaults.py.in
+++ b/Mailman/Defaults.py.in
@@ -201,6 +201,31 @@ WEB_VLINK_COLOR = ''                              # If true, forces VLINK=
 WEB_HIGHLIGHT_COLOR = '#dddddd'                   # If true, alternating rows
                                                   # in listinfo & admin display
 
+# User entered data is escaped for redisplay in web responses to avoid Cross
+# Site Scripting (XSS) attacks. The normal escaping replaces the characters
+# <, >, & and " with the respective HTML entities &lt;, &gt;, &amp; and
+# &quot;.  There are apparently some older, broken browsers that misinterpret
+# certain non-ascii characters as <, > or ".  The following two settings
+# control whether additional characters are escaped, and what characters are
+# replaced with what.  Note that in character sets that represent some
+# characters as multi-byte sequences, enabling the escaping of additional
+# characters can replace part of a multi-byte sequence with an HTML entity,
+# thus breaking an otherwise harmless character.
+#
+# Enable the replacement of additional characters when escaping strings for
+# the web.
+BROKEN_BROWSER_WORKAROUND = No
+#
+# If the above setting is Yes, the following dictionary definition determines
+# what additional characters are replaced with what.
+BROKEN_BROWSER_REPLACEMENTS = {'\x8b': '&#8249;',  # single left angle quote
+                               '\x9b': '&#8250;',  # single right angle quote
+                               '\xbc': '&#188;',   # < plus high order bit
+                               '\xbe': '&#190;',   # > plus high order bit
+                               '\xa2': '&#162;',   # " plus high order bit
+                              }
+
+
 
 #####
 # Archive defaults
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index f9a4e690..c93df81f 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -425,19 +425,13 @@ def check_global_password(response, siteadmin=True):
 
 
 _ampre = re.compile('&amp;((?:#[0-9]+|[a-z]+);)', re.IGNORECASE)
-# Characters misinterpreted as < or > by some broken browsers.
-_broken_browser = {'\x8b': '&#8249;',
-                   '\x9b': '&#8250;',
-                   '\xbc': '&#188;',
-                   '\xbe': '&#190;',
-                   '\xa2': '&#162;'
-                  }
 def websafe(s):
-    # Archiver can pass unicode here. Just skip them as the
-    # archiver escapes non-ascii anyway.
-    if isinstance(s, str):
-        for k in _broken_browser:
-            s = s.replace(k, _broken_browser[k])
+    if mm_cfg.BROKEN_BROWSER_WORKAROUND:
+        # Archiver can pass unicode here. Just skip them as the
+        # archiver escapes non-ascii anyway.
+        if isinstance(s, str):
+            for k in mm_cfg.BROKEN_BROWSER_REPLACEMENTS:
+                s = s.replace(k, mm_cfg.BROKEN_BROWSER_REPLACEMENTS[k])
     # Don't double escape html entities
     return _ampre.sub(r'&\1', cgi.escape(s, quote=True))
 
diff --git a/NEWS b/NEWS
index 38549b4a..f6287bb7 100644
--- a/NEWS
+++ b/NEWS
@@ -41,6 +41,13 @@ Here is a history of user visible changes to Mailman.
       is responded to or just logged.  It defaults to Yes which is different
       from prior behavior.  Bug #410236.
 
+    - Two new mm_cfg.py settings, BROKEN_BROWSER_WORKAROUND and
+      BROKEN_BROWSER_REPLACEMENTS, have been added to control escaping of
+      additional characters beyond the standard <, >, &, and " in the web UI.
+      See the documentation of these settings in Defaults.py.  The default
+      values for these settings result in no change from the prior release.
+      Bug #774588.
+
   i18n
 
     - Fixed a missing format character in the Spanish translation.