diff options
| author | bwarsaw <> | 2006-08-30 14:54:22 +0000 |
|---|---|---|
| committer | bwarsaw <> | 2006-08-30 14:54:22 +0000 |
| commit | 0cee915eeb5f8f99ed036d257b1103c28373eb5b (patch) | |
| tree | 1489a315aaa485d4c1aa91762b63a232fb23149d /Mailman/Cgi/admindb.py | |
| parent | 14bb48657eae40f5ef80adeebd021d6a186e2cd2 (diff) | |
| download | mailman2-0cee915eeb5f8f99ed036d257b1103c28373eb5b.tar.gz mailman2-0cee915eeb5f8f99ed036d257b1103c28373eb5b.tar.xz mailman2-0cee915eeb5f8f99ed036d257b1103c28373eb5b.zip | |
CVE-2006-3636. Fixes for various cross-site scripting issues. Discovery by
Moritz Naumann and most of the repair work done by Mark Sapiro (with some
additional work by Barry).
Diffstat (limited to '')
| -rw-r--r-- | Mailman/Cgi/admindb.py | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/Mailman/Cgi/admindb.py b/Mailman/Cgi/admindb.py index 7f42c8ac..f36daae0 100644 --- a/Mailman/Cgi/admindb.py +++ b/Mailman/Cgi/admindb.py @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2005 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2006 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -313,7 +313,7 @@ def show_pending_subs(mlist, form): ' ' + _('Permanently ban from this list') # While the address may be a unicode, it must be ascii paddr = addr.encode('us-ascii', 'replace') - table.AddRow(['%s<br><em>%s</em>' % (paddr, fullname), + table.AddRow(['%s<br><em>%s</em>' % (paddr, Utils.websafe(fullname)), radio, TextBox('comment-%d' % id, size=40) ]) @@ -357,7 +357,7 @@ def show_pending_unsubs(mlist, form): mlist.HandleRequest(id, mm_cfg.DISCARD) continue num += 1 - table.AddRow(['%s<br><em>%s</em>' % (addr, fullname), + table.AddRow(['%s<br><em>%s</em>' % (addr, Utils.websafe(fullname)), RadioButtonArray(id, (_('Defer'), _('Approve'), _('Reject'), |