From ccec7cecdeffedb9a80b24488460932ec7907d09 Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Wed, 4 Jul 2018 11:41:14 -0700 Subject: Escaping of HTML entities for the web UI is now done more selectively. --- Mailman/Utils.py | 9 ++++++--- Mailman/htmlformat.py | 4 +++- NEWS | 3 +++ 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 01dfa9c0..49121e28 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -473,7 +473,7 @@ def check_global_password(response, siteadmin=True): _ampre = re.compile('&((?:#[0-9]+|[a-z]+);)', re.IGNORECASE) -def websafe(s): +def websafe(s, doubleescape=False): # If a user submits a form or URL with post data or query fragments # with multiple occurrences of the same variable, we can get a list # here. Be as careful as possible. @@ -488,8 +488,11 @@ def websafe(s): if isinstance(s, str): for k in mm_cfg.BROKEN_BROWSER_REPLACEMENTS: s = s.replace(k, mm_cfg.BROKEN_BROWSER_REPLACEMENTS[k]) - # Don't double escape html entities - return _ampre.sub(r'&\1', cgi.escape(s, quote=True)) + if doubleescape: + return cgi.escape(s, quote=True) + else: + # Don't double escape html entities + return _ampre.sub(r'&\1', cgi.escape(s, quote=True)) def nntpsplit(s): diff --git a/Mailman/htmlformat.py b/Mailman/htmlformat.py index 31795a8a..30be8127 100644 --- a/Mailman/htmlformat.py +++ b/Mailman/htmlformat.py @@ -495,7 +495,9 @@ class TextArea: def __init__(self, name, text='', rows=None, cols=None, wrap='soft', readonly=0): if isinstance(text, str): - safetext = Utils.websafe(text) + # Double escape HTML entities in non-readonly areas. + doubleescape = not readonly + safetext = Utils.websafe(text, doubleescape) else: safetext = text self.name = name diff --git a/NEWS b/NEWS index 19dc5105..4b7ebd6c 100644 --- a/NEWS +++ b/NEWS @@ -12,6 +12,9 @@ Here is a history of user visible changes to Mailman. - The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature added in 2.1.27 was not working. This is fixed. (LP: #1779774) + - Escaping of HTML entities for the web UI is now done more selectively. + (LP: #1779445) + 2.1.27 (22-Jun-2018) Security -- cgit v1.2.3