Mailman/Cgi/edithtml.py

Mailman/Gui/General.py
Mailman/Utils.py       - Better detection of potentially evil HTML in GUI.

Mailman/Version.py
NEWS                   - Updates for 2.1.10b1 release.

Mailman/Gui/General.py
messages/mailman.pot   - Added admin_member_chunksize to Gui. Two new
                         associated messages.

1 files changed, 15 insertions, 2 deletions

diff --git a/Mailman/Cgi/edithtml.py b/Mailman/Cgi/edithtml.py
index b5967b34..3aa8ab4e 100644
--- a/Mailman/Cgi/edithtml.py
+++ b/Mailman/Cgi/edithtml.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2006 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2007 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -159,7 +159,20 @@ def ChangeHTML(mlist, cgi_info, template_name, doc):
         doc.AddItem('<hr>')
         return
     code = cgi_info['html_code'].value
-    code = re.sub(r'<([/]?script.*?)>', r'&lt;\1&gt;', code)
+    if Utils.suspiciousHTML(code):
+        doc.AddItem(Header(3,
+           _("""The page you saved contains suspicious HTML that could
+potentially expose your users to cross-site scripting attacks.  This change
+has therefore been rejected.  If you still want to make these changes, you
+must have shell access to your Mailman server.
+             """)))
+        doc.AddItem(_('See '))
+        doc.AddItem(Link(
+'http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq04.048.htp',
+                _('FAQ 4.48.')))
+        doc.AddItem(Header(3,_("Page Unchanged.")))
+        doc.AddItem('<hr>')
+        return
     langdir = os.path.join(mlist.fullpath(), mlist.preferred_language)
     # Make sure the directory exists
     omask = os.umask(0)