aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorbwarsaw <>2004-02-17 19:27:46 +0000
committerbwarsaw <>2004-02-17 19:27:46 +0000
commite565a87da1a41016155cfd08c326e36901cb7531 (patch)
treee27925ae8b2a1aacb8d1ca23d4704b52862758ce
parent19b7fa435db9c4e311f05c274d2d49a685cf4af6 (diff)
downloadmailman2-e565a87da1a41016155cfd08c326e36901cb7531.tar.gz
mailman2-e565a87da1a41016155cfd08c326e36901cb7531.tar.xz
mailman2-e565a87da1a41016155cfd08c326e36901cb7531.zip
_escape(): Everything except the 'info' variable gets the normal web-safe
escaping. 'info' sanitizes just <script> and </script> tags. This partially closes bugs 870028 and 881369.
-rw-r--r--Mailman/Gui/General.py27
1 files changed, 19 insertions, 8 deletions
diff --git a/Mailman/Gui/General.py b/Mailman/Gui/General.py
index a33d1004..7cf1ee06 100644
--- a/Mailman/Gui/General.py
+++ b/Mailman/Gui/General.py
@@ -1,22 +1,24 @@
-# Copyright (C) 2001,2002 by the Free Software Foundation, Inc.
+# Copyright (C) 2001-2004 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
-#
+#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
-#
+#
# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
+# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
"""MailList mixin class managing the general options.
"""
+import re
+
from Mailman import mm_cfg
from Mailman import Utils
from Mailman import Errors
@@ -174,7 +176,7 @@ class General(GUIBase):
messages, overriding the header in the original message if
necessary (<em>Explicit address</em> inserts the value of <a
href="?VARHELP=general/reply_to_address">reply_to_address</a>).
-
+
<p>There are many reasons not to introduce or override the
<tt>Reply-To:</tt> header. One is that some posters depend on
their own <tt>Reply-To:</tt> settings to convey their valid
@@ -283,7 +285,7 @@ class General(GUIBase):
<li>A blank line separates paragraphs.
</ul>""")),
- ('send_welcome_msg', mm_cfg.Radio, (_('No'), _('Yes')), 0,
+ ('send_welcome_msg', mm_cfg.Radio, (_('No'), _('Yes')), 0,
_('Send welcome message to newly subscribed members?'),
_("""Turn this off only if you plan on subscribing people manually
and don't want them to know that you did so. This option is most
@@ -310,7 +312,7 @@ class General(GUIBase):
('admin_notify_mchanges', mm_cfg.Radio, (_('No'), _('Yes')), 0,
_('''Should administrator get notices of subscribes and
unsubscribes?''')),
-
+
('respond_to_post_requests', mm_cfg.Radio,
(_('No'), _('Yes')), 0,
_('Send mail to poster when their posting is held for approval?'),
@@ -338,7 +340,7 @@ class General(GUIBase):
# to tell if all were deselected!
0, _('''Default options for new members joining this list.<input
type="hidden" name="new_member_options" value="ignore">'''),
-
+
_("""When a new member is subscribed to this list, their initial
set of options is taken from the this variable's setting.""")),
@@ -430,6 +432,15 @@ class General(GUIBase):
else:
GUIBase._setValue(self, mlist, property, val, doc)
+ def _escape(self, property, value):
+ # The 'info' property allows HTML, but lets sanitize it to avoid XSS
+ # exploits. Everything else should be fully escaped.
+ if property <> 'info':
+ return GUIBase._escape(self, property, value)
+ # Sanitize <script> and </script> tags but nothing else. Not the best
+ # solution, but expedient.
+ return re.sub(r'<([/]?script.*?)>', r'&lt;\1&gt;', value)
+
def _postValidate(self, mlist, doc):
if not mlist.reply_to_address.strip() and \
mlist.reply_goes_to_list == 2: