diff options
author | Mark Sapiro <mark@msapiro.net> | 2018-07-04 11:41:14 -0700 |
---|---|---|
committer | Mark Sapiro <mark@msapiro.net> | 2018-07-04 11:41:14 -0700 |
commit | ccec7cecdeffedb9a80b24488460932ec7907d09 (patch) | |
tree | 6f2eb65ecd4f471448987835fd8eeba79733219c | |
parent | 4e500d36c3fb89ad25a01e21b3ddf8bf21391abe (diff) | |
download | mailman2-ccec7cecdeffedb9a80b24488460932ec7907d09.tar.gz mailman2-ccec7cecdeffedb9a80b24488460932ec7907d09.tar.xz mailman2-ccec7cecdeffedb9a80b24488460932ec7907d09.zip |
Escaping of HTML entities for the web UI is now done more selectively.
-rw-r--r-- | Mailman/Utils.py | 9 | ||||
-rw-r--r-- | Mailman/htmlformat.py | 4 | ||||
-rw-r--r-- | NEWS | 3 |
3 files changed, 12 insertions, 4 deletions
diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 01dfa9c0..49121e28 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -473,7 +473,7 @@ def check_global_password(response, siteadmin=True): _ampre = re.compile('&((?:#[0-9]+|[a-z]+);)', re.IGNORECASE) -def websafe(s): +def websafe(s, doubleescape=False): # If a user submits a form or URL with post data or query fragments # with multiple occurrences of the same variable, we can get a list # here. Be as careful as possible. @@ -488,8 +488,11 @@ def websafe(s): if isinstance(s, str): for k in mm_cfg.BROKEN_BROWSER_REPLACEMENTS: s = s.replace(k, mm_cfg.BROKEN_BROWSER_REPLACEMENTS[k]) - # Don't double escape html entities - return _ampre.sub(r'&\1', cgi.escape(s, quote=True)) + if doubleescape: + return cgi.escape(s, quote=True) + else: + # Don't double escape html entities + return _ampre.sub(r'&\1', cgi.escape(s, quote=True)) def nntpsplit(s): diff --git a/Mailman/htmlformat.py b/Mailman/htmlformat.py index 31795a8a..30be8127 100644 --- a/Mailman/htmlformat.py +++ b/Mailman/htmlformat.py @@ -495,7 +495,9 @@ class TextArea: def __init__(self, name, text='', rows=None, cols=None, wrap='soft', readonly=0): if isinstance(text, str): - safetext = Utils.websafe(text) + # Double escape HTML entities in non-readonly areas. + doubleescape = not readonly + safetext = Utils.websafe(text, doubleescape) else: safetext = text self.name = name @@ -12,6 +12,9 @@ Here is a history of user visible changes to Mailman. - The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature added in 2.1.27 was not working. This is fixed. (LP: #1779774) + - Escaping of HTML entities for the web UI is now done more selectively. + (LP: #1779445) + 2.1.27 (22-Jun-2018) Security |