aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Mailman/Utils.py9
-rw-r--r--Mailman/htmlformat.py4
-rw-r--r--NEWS3
3 files changed, 12 insertions, 4 deletions
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 01dfa9c0..49121e28 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -473,7 +473,7 @@ def check_global_password(response, siteadmin=True):
_ampre = re.compile('&((?:#[0-9]+|[a-z]+);)', re.IGNORECASE)
-def websafe(s):
+def websafe(s, doubleescape=False):
# If a user submits a form or URL with post data or query fragments
# with multiple occurrences of the same variable, we can get a list
# here. Be as careful as possible.
@@ -488,8 +488,11 @@ def websafe(s):
if isinstance(s, str):
for k in mm_cfg.BROKEN_BROWSER_REPLACEMENTS:
s = s.replace(k, mm_cfg.BROKEN_BROWSER_REPLACEMENTS[k])
- # Don't double escape html entities
- return _ampre.sub(r'&\1', cgi.escape(s, quote=True))
+ if doubleescape:
+ return cgi.escape(s, quote=True)
+ else:
+ # Don't double escape html entities
+ return _ampre.sub(r'&\1', cgi.escape(s, quote=True))
def nntpsplit(s):
diff --git a/Mailman/htmlformat.py b/Mailman/htmlformat.py
index 31795a8a..30be8127 100644
--- a/Mailman/htmlformat.py
+++ b/Mailman/htmlformat.py
@@ -495,7 +495,9 @@ class TextArea:
def __init__(self, name, text='', rows=None, cols=None, wrap='soft',
readonly=0):
if isinstance(text, str):
- safetext = Utils.websafe(text)
+ # Double escape HTML entities in non-readonly areas.
+ doubleescape = not readonly
+ safetext = Utils.websafe(text, doubleescape)
else:
safetext = text
self.name = name
diff --git a/NEWS b/NEWS
index 19dc5105..4b7ebd6c 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,9 @@ Here is a history of user visible changes to Mailman.
- The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature added in 2.1.27 was
not working. This is fixed. (LP: #1779774)
+ - Escaping of HTML entities for the web UI is now done more selectively.
+ (LP: #1779445)
+
2.1.27 (22-Jun-2018)
Security