aboutsummaryrefslogtreecommitdiffstats
path: root/Mailman
diff options
context:
space:
mode:
authorMark Sapiro <mark@msapiro.net>2009-08-01 12:22:34 -0700
committerMark Sapiro <mark@msapiro.net>2009-08-01 12:22:34 -0700
commitfdfee4b34c818c410dd586e86ab1dad99c2a5f4c (patch)
tree3e7a392c2cbb093c58f9cbca14338ac6939d8e68 /Mailman
parent205504d8f729af4a948ad7a3c9636939dbdc00b9 (diff)
downloadmailman2-fdfee4b34c818c410dd586e86ab1dad99c2a5f4c.tar.gz
mailman2-fdfee4b34c818c410dd586e86ab1dad99c2a5f4c.tar.xz
mailman2-fdfee4b34c818c410dd586e86ab1dad99c2a5f4c.zip
XSS protection in the web interface went too far in escaping HTML
entities. Fixed.
Diffstat (limited to 'Mailman')
-rw-r--r--Mailman/Utils.py4
1 files changed, 3 insertions, 1 deletions
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index b0eb2dd0..5cba077e 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -424,8 +424,10 @@ def check_global_password(response, siteadmin=True):
+_ampre = re.compile('&amp;((?:#[0-9]+|[a-z]+);)', re.IGNORECASE)
def websafe(s):
- return cgi.escape(s, quote=True)
+ # Don't double escape html entities
+ return _ampre.sub(r'&\1', cgi.escape(s, quote=True))
def nntpsplit(s):