diff options
Diffstat (limited to '')
| -rw-r--r-- | Mailman/Defaults.py.in | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in index ef8bdd3b..5c42e5e9 100644 --- a/Mailman/Defaults.py.in +++ b/Mailman/Defaults.py.in @@ -201,6 +201,31 @@ WEB_VLINK_COLOR = '' # If true, forces VLINK= WEB_HIGHLIGHT_COLOR = '#dddddd' # If true, alternating rows # in listinfo & admin display +# User entered data is escaped for redisplay in web responses to avoid Cross +# Site Scripting (XSS) attacks. The normal escaping replaces the characters +# <, >, & and " with the respective HTML entities <, >, & and +# ". There are apparently some older, broken browsers that misinterpret +# certain non-ascii characters as <, > or ". The following two settings +# control whether additional characters are escaped, and what characters are +# replaced with what. Note that in character sets that represent some +# characters as multi-byte sequences, enabling the escaping of additional +# characters can replace part of a multi-byte sequence with an HTML entity, +# thus breaking an otherwise harmless character. +# +# Enable the replacement of additional characters when escaping strings for +# the web. +BROKEN_BROWSER_WORKAROUND = No +# +# If the above setting is Yes, the following dictionary definition determines +# what additional characters are replaced with what. +BROKEN_BROWSER_REPLACEMENTS = {'\x8b': '‹', # single left angle quote + '\x9b': '›', # single right angle quote + '\xbc': '¼', # < plus high order bit + '\xbe': '¾', # > plus high order bit + '\xa2': '¢', # " plus high order bit + } + + ##### # Archive defaults |