aboutsummaryrefslogtreecommitdiffstats
path: root/Mailman/Gui
diff options
context:
space:
mode:
authorMark Sapiro <msapiro@value.net>2007-12-04 11:52:18 -0800
committerMark Sapiro <msapiro@value.net>2007-12-04 11:52:18 -0800
commit18f080804e368c63de499b32717d57701aaf8880 (patch)
treeb9f33705aaf602cc16984f9e4c87c04ec12777bb /Mailman/Gui
parent23c33ffc04737e21135743bdb7c56921966176a6 (diff)
downloadmailman2-18f080804e368c63de499b32717d57701aaf8880.tar.gz
mailman2-18f080804e368c63de499b32717d57701aaf8880.tar.xz
mailman2-18f080804e368c63de499b32717d57701aaf8880.zip
Mailman/Cgi/edithtml.py
Mailman/Gui/General.py Mailman/Utils.py - Better detection of potentially evil HTML in GUI. Mailman/Version.py NEWS - Updates for 2.1.10b1 release. Mailman/Gui/General.py messages/mailman.pot - Added admin_member_chunksize to Gui. Two new associated messages.
Diffstat (limited to 'Mailman/Gui')
-rw-r--r--Mailman/Gui/General.py32
1 files changed, 23 insertions, 9 deletions
diff --git a/Mailman/Gui/General.py b/Mailman/Gui/General.py
index 6b03fd2c..8271a30e 100644
--- a/Mailman/Gui/General.py
+++ b/Mailman/Gui/General.py
@@ -1,4 +1,4 @@
-# Copyright (C) 2001-2006 by the Free Software Foundation, Inc.
+# Copyright (C) 2001-2007 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -19,6 +19,8 @@
import re
+from types import IntType
+
from Mailman import mm_cfg
from Mailman import Utils
from Mailman import Errors
@@ -358,6 +360,10 @@ class General(GUIBase):
_('''Maximum length in kilobytes (KB) of a message body. Use 0
for no limit.''')),
+ ('admin_member_chunksize', mm_cfg.Number, 7, 0,
+ _('''Maximum number of members to show on one page of the
+ Membership List.''')),
+
('host_name', mm_cfg.Host, WIDTH, 0,
_('Host name this list prefers for email.'),
@@ -436,17 +442,25 @@ class General(GUIBase):
# Convert any html entities to Unicode
mlist.subject_prefix = Utils.canonstr(
val, mlist.preferred_language)
+ elif property == 'info':
+ if val <> mlist.info:
+ if Utils.suspiciousHTML(val):
+ doc.addError(_("""The <b>info</b> attribute you saved
+contains suspicious HTML that could potentially expose your users to cross-site
+scripting attacks. This change has therefore been rejected. If you still want
+to make these changes, you must have shell access to your Mailman server.
+This change can be made with bin/withlist or with bin/config_list by setting
+mlist.info.
+ """))
+ else:
+ mlist.info = val
+ elif property == 'admin_member_chunksize' and (val < 1
+ or not isinstance(val, IntType)):
+ doc.addError(_("""<b>admin_member_chunksize</b> attribute not
+ changed! It must be an integer > 0."""))
else:
GUIBase._setValue(self, mlist, property, val, doc)
- def _escape(self, property, value):
- # The 'info' property allows HTML, but let's sanitize it to avoid XSS
- # exploits. Everything else should be fully escaped.
- if property <> 'info':
- return GUIBase._escape(self, property, value)
- # Sanitize <script> and </script> tags but nothing else. Not the best
- # solution, but expedient.
- return re.sub(r'(?i)<([/]?script.*?)>', r'&lt;\1&gt;', value)
def _postValidate(self, mlist, doc):
if not mlist.reply_to_address.strip() and \