diff options
| -rw-r--r-- | Mailman/Defaults.py.in | 25 | ||||
| -rw-r--r-- | Mailman/Utils.py | 18 | ||||
| -rw-r--r-- | NEWS | 7 |
3 files changed, 38 insertions, 12 deletions
diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in index ef8bdd3b..5c42e5e9 100644 --- a/Mailman/Defaults.py.in +++ b/Mailman/Defaults.py.in @@ -201,6 +201,31 @@ WEB_VLINK_COLOR = '' # If true, forces VLINK= WEB_HIGHLIGHT_COLOR = '#dddddd' # If true, alternating rows # in listinfo & admin display +# User entered data is escaped for redisplay in web responses to avoid Cross +# Site Scripting (XSS) attacks. The normal escaping replaces the characters +# <, >, & and " with the respective HTML entities <, >, & and +# ". There are apparently some older, broken browsers that misinterpret +# certain non-ascii characters as <, > or ". The following two settings +# control whether additional characters are escaped, and what characters are +# replaced with what. Note that in character sets that represent some +# characters as multi-byte sequences, enabling the escaping of additional +# characters can replace part of a multi-byte sequence with an HTML entity, +# thus breaking an otherwise harmless character. +# +# Enable the replacement of additional characters when escaping strings for +# the web. +BROKEN_BROWSER_WORKAROUND = No +# +# If the above setting is Yes, the following dictionary definition determines +# what additional characters are replaced with what. +BROKEN_BROWSER_REPLACEMENTS = {'\x8b': '‹', # single left angle quote + '\x9b': '›', # single right angle quote + '\xbc': '¼', # < plus high order bit + '\xbe': '¾', # > plus high order bit + '\xa2': '¢', # " plus high order bit + } + + ##### # Archive defaults diff --git a/Mailman/Utils.py b/Mailman/Utils.py index f9a4e690..c93df81f 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -425,19 +425,13 @@ def check_global_password(response, siteadmin=True): _ampre = re.compile('&((?:#[0-9]+|[a-z]+);)', re.IGNORECASE) -# Characters misinterpreted as < or > by some broken browsers. -_broken_browser = {'\x8b': '‹', - '\x9b': '›', - '\xbc': '¼', - '\xbe': '¾', - '\xa2': '¢' - } def websafe(s): - # Archiver can pass unicode here. Just skip them as the - # archiver escapes non-ascii anyway. - if isinstance(s, str): - for k in _broken_browser: - s = s.replace(k, _broken_browser[k]) + if mm_cfg.BROKEN_BROWSER_WORKAROUND: + # Archiver can pass unicode here. Just skip them as the + # archiver escapes non-ascii anyway. + if isinstance(s, str): + for k in mm_cfg.BROKEN_BROWSER_REPLACEMENTS: + s = s.replace(k, mm_cfg.BROKEN_BROWSER_REPLACEMENTS[k]) # Don't double escape html entities return _ampre.sub(r'&\1', cgi.escape(s, quote=True)) @@ -41,6 +41,13 @@ Here is a history of user visible changes to Mailman. is responded to or just logged. It defaults to Yes which is different from prior behavior. Bug #410236. + - Two new mm_cfg.py settings, BROKEN_BROWSER_WORKAROUND and + BROKEN_BROWSER_REPLACEMENTS, have been added to control escaping of + additional characters beyond the standard <, >, &, and " in the web UI. + See the documentation of these settings in Defaults.py. The default + values for these settings result in no change from the prior release. + Bug #774588. + i18n - Fixed a missing format character in the Spanish translation. |