diff options
author | Mark Sapiro <mark@msapiro.net> | 2009-08-01 12:22:34 -0700 |
---|---|---|
committer | Mark Sapiro <mark@msapiro.net> | 2009-08-01 12:22:34 -0700 |
commit | fdfee4b34c818c410dd586e86ab1dad99c2a5f4c (patch) | |
tree | 3e7a392c2cbb093c58f9cbca14338ac6939d8e68 | |
parent | 205504d8f729af4a948ad7a3c9636939dbdc00b9 (diff) | |
download | mailman2-fdfee4b34c818c410dd586e86ab1dad99c2a5f4c.tar.gz mailman2-fdfee4b34c818c410dd586e86ab1dad99c2a5f4c.tar.xz mailman2-fdfee4b34c818c410dd586e86ab1dad99c2a5f4c.zip |
XSS protection in the web interface went too far in escaping HTML
entities. Fixed.
-rw-r--r-- | Mailman/Utils.py | 4 | ||||
-rw-r--r-- | NEWS | 3 |
2 files changed, 6 insertions, 1 deletions
diff --git a/Mailman/Utils.py b/Mailman/Utils.py index b0eb2dd0..5cba077e 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -424,8 +424,10 @@ def check_global_password(response, siteadmin=True): +_ampre = re.compile('&((?:#[0-9]+|[a-z]+);)', re.IGNORECASE) def websafe(s): - return cgi.escape(s, quote=True) + # Don't double escape html entities + return _ampre.sub(r'&\1', cgi.escape(s, quote=True)) def nntpsplit(s): @@ -8,6 +8,9 @@ Here is a history of user visible changes to Mailman. Bug Fixes and other patches + - XSS protection in the web interface went too far in escaping HTML + entities. Fixed. + - Removed or anonymized additional headers in posts to anonymous lists. - Fixed a bug that could cause incorrect threading of replies to archived |