From 369a0c8bf117099edb3761b38eadda68ad1cfefc Mon Sep 17 00:00:00 2001
From: tkikuchi <>
Date: Tue, 4 Apr 2006 23:47:14 +0000
Subject: Fix XSS bug: Thanks Moritz Naumann. (CVE-2006-1512)

---
 Mailman/Cgi/private.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py
index 35b38dea..86608418 100644
--- a/Mailman/Cgi/private.py
+++ b/Mailman/Cgi/private.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2005 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2006 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -148,9 +148,10 @@ def main():
         # page don't work.
         if true_filename.endswith('/index.html') and parts[-1] <> 'index.html':
             action += SLASH
+        # Escape web input parameter to avoid cross-site scripting.
         print Utils.maketext(
             'private.html',
-            {'action'  : action,
+            {'action'  : Utils.websafe(action),
              'realname': mlist.real_name,
              'message' : message,
              }, mlist=mlist)
-- 
cgit v1.2.3