Strengthened escaping of user web data by including some characters that

some older browsers misinterpret as < or >.

2 files changed, 11 insertions, 0 deletions

diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 847e450e..9a29662b 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -425,7 +425,15 @@ def check_global_password(response, siteadmin=True):
 
 
 _ampre = re.compile('&((?:#[0-9]+|[a-z]+);)', re.IGNORECASE)
+# Characters misinterpreted as < or > by some broken browsers.
+_broken_browser = {'\x8b': '&#8249;',
+                   '\x9b': '&#8250;',
+                   '\xbc': '&#188;',
+                   '\xbd': '&#190;',
+                  }
 def websafe(s):
+    for k in _broken_browser:
+        s = s.replace(k, _broken_browser[k])
     # Don't double escape html entities
     return _ampre.sub(r'&\1', cgi.escape(s, quote=True))
 
diff --git a/NEWS b/NEWS
index 394d596a..8ee35b09 100644
--- a/NEWS
+++ b/NEWS
@@ -43,6 +43,9 @@ Here is a history of user visible changes to Mailman.
 
   Bug Fixes and other patches
 
+    - Strengthened escaping of user web data by including some characters that
+      some older browsers misinterpret as < or >.
+
     - Mailman now sets the 'secure' flag in cookies set via https URLs.
       Bug #770377.