From e17a9218ddd5b614c2a02743cedc9652974af7af Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Wed, 3 Nov 2021 12:02:21 -0700 Subject: Fix a potentail XSS attack via the user options page. --- Mailman/Cgi/options.py | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Mailman') diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py index 60b7d9b6..3db0a172 100644 --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -346,6 +346,8 @@ def main(): varhelp = qs[0] if varhelp: # Sanitize the topic name. + while '%' in varhelp: + varhelp = urllib.unquote_plus(varhelp) varhelp = re.sub('<.*', '', varhelp) topic_details(mlist, doc, user, cpuser, userlang, varhelp) return -- cgit v1.2.3