diff options
author | Mark Sapiro <msapiro@value.net> | 2007-12-04 11:52:18 -0800 |
---|---|---|
committer | Mark Sapiro <msapiro@value.net> | 2007-12-04 11:52:18 -0800 |
commit | 18f080804e368c63de499b32717d57701aaf8880 (patch) | |
tree | b9f33705aaf602cc16984f9e4c87c04ec12777bb /Mailman/Gui | |
parent | 23c33ffc04737e21135743bdb7c56921966176a6 (diff) | |
download | mailman2-18f080804e368c63de499b32717d57701aaf8880.tar.gz mailman2-18f080804e368c63de499b32717d57701aaf8880.tar.xz mailman2-18f080804e368c63de499b32717d57701aaf8880.zip |
Mailman/Cgi/edithtml.py
Mailman/Gui/General.py
Mailman/Utils.py - Better detection of potentially evil HTML in GUI.
Mailman/Version.py
NEWS - Updates for 2.1.10b1 release.
Mailman/Gui/General.py
messages/mailman.pot - Added admin_member_chunksize to Gui. Two new
associated messages.
Diffstat (limited to 'Mailman/Gui')
-rw-r--r-- | Mailman/Gui/General.py | 32 |
1 files changed, 23 insertions, 9 deletions
diff --git a/Mailman/Gui/General.py b/Mailman/Gui/General.py index 6b03fd2c..8271a30e 100644 --- a/Mailman/Gui/General.py +++ b/Mailman/Gui/General.py @@ -1,4 +1,4 @@ -# Copyright (C) 2001-2006 by the Free Software Foundation, Inc. +# Copyright (C) 2001-2007 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -19,6 +19,8 @@ import re +from types import IntType + from Mailman import mm_cfg from Mailman import Utils from Mailman import Errors @@ -358,6 +360,10 @@ class General(GUIBase): _('''Maximum length in kilobytes (KB) of a message body. Use 0 for no limit.''')), + ('admin_member_chunksize', mm_cfg.Number, 7, 0, + _('''Maximum number of members to show on one page of the + Membership List.''')), + ('host_name', mm_cfg.Host, WIDTH, 0, _('Host name this list prefers for email.'), @@ -436,17 +442,25 @@ class General(GUIBase): # Convert any html entities to Unicode mlist.subject_prefix = Utils.canonstr( val, mlist.preferred_language) + elif property == 'info': + if val <> mlist.info: + if Utils.suspiciousHTML(val): + doc.addError(_("""The <b>info</b> attribute you saved +contains suspicious HTML that could potentially expose your users to cross-site +scripting attacks. This change has therefore been rejected. If you still want +to make these changes, you must have shell access to your Mailman server. +This change can be made with bin/withlist or with bin/config_list by setting +mlist.info. + """)) + else: + mlist.info = val + elif property == 'admin_member_chunksize' and (val < 1 + or not isinstance(val, IntType)): + doc.addError(_("""<b>admin_member_chunksize</b> attribute not + changed! It must be an integer > 0.""")) else: GUIBase._setValue(self, mlist, property, val, doc) - def _escape(self, property, value): - # The 'info' property allows HTML, but let's sanitize it to avoid XSS - # exploits. Everything else should be fully escaped. - if property <> 'info': - return GUIBase._escape(self, property, value) - # Sanitize <script> and </script> tags but nothing else. Not the best - # solution, but expedient. - return re.sub(r'(?i)<([/]?script.*?)>', r'<\1>', value) def _postValidate(self, mlist, doc): if not mlist.reply_to_address.strip() and \ |