From fdfee4b34c818c410dd586e86ab1dad99c2a5f4c Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Sat, 1 Aug 2009 12:22:34 -0700
Subject: XSS protection in the web interface went too far in escaping HTML
 entities.  Fixed.

---
 Mailman/Utils.py | 4 +++-
 NEWS             | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index b0eb2dd0..5cba077e 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -424,8 +424,10 @@ def check_global_password(response, siteadmin=True):
 
 
 
+_ampre = re.compile('&amp;((?:#[0-9]+|[a-z]+);)', re.IGNORECASE)
 def websafe(s):
-    return cgi.escape(s, quote=True)
+    # Don't double escape html entities
+    return _ampre.sub(r'&\1', cgi.escape(s, quote=True))
 
 
 def nntpsplit(s):
diff --git a/NEWS b/NEWS
index 477a81f0..47bc5f73 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,9 @@ Here is a history of user visible changes to Mailman.
 
   Bug Fixes and other patches
 
+    - XSS protection in the web interface went too far in escaping HTML
+      entities.  Fixed.
+
     - Removed or anonymized additional headers in posts to anonymous lists.
 
     - Fixed a bug that could cause incorrect threading of replies to archived
-- 
cgit v1.2.3