Escaping of HTML entities for the web UI is now done more selectively.

2 files changed, 9 insertions, 4 deletions

diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 01dfa9c0..49121e28 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -473,7 +473,7 @@ def check_global_password(response, siteadmin=True):
 
 
 _ampre = re.compile('&((?:#[0-9]+|[a-z]+);)', re.IGNORECASE)
-def websafe(s):
+def websafe(s, doubleescape=False):
     # If a user submits a form or URL with post data or query fragments
     # with multiple occurrences of the same variable, we can get a list
     # here.  Be as careful as possible.
@@ -488,8 +488,11 @@ def websafe(s):
         if isinstance(s, str):
             for k in mm_cfg.BROKEN_BROWSER_REPLACEMENTS:
                 s = s.replace(k, mm_cfg.BROKEN_BROWSER_REPLACEMENTS[k])
-    # Don't double escape html entities
-    return _ampre.sub(r'&\1', cgi.escape(s, quote=True))
+    if doubleescape:
+        return cgi.escape(s, quote=True)
+    else:
+        # Don't double escape html entities
+        return _ampre.sub(r'&\1', cgi.escape(s, quote=True))
 
 
 def nntpsplit(s):
diff --git a/Mailman/htmlformat.py b/Mailman/htmlformat.py
index 31795a8a..30be8127 100644
--- a/Mailman/htmlformat.py
+++ b/Mailman/htmlformat.py
@@ -495,7 +495,9 @@ class TextArea:
     def __init__(self, name, text='', rows=None, cols=None, wrap='soft',
                  readonly=0):
         if isinstance(text, str):
-            safetext = Utils.websafe(text)
+            # Double escape HTML entities in non-readonly areas.
+            doubleescape = not readonly
+            safetext = Utils.websafe(text, doubleescape)
         else:
             safetext = text
         self.name = name