From e4e38ef99ec8c747dfe2cf60b60b6271301a3244 Mon Sep 17 00:00:00 2001
From: bwarsaw <>
Date: Sat, 13 Dec 2003 16:27:42 +0000
Subject: handleForm(): Close some cross-site scripting holes found by Dirk
 Mueller.

---
 Mailman/Gui/GUIBase.py | 8 ++++----
 Mailman/Gui/Topics.py  | 1 +
 2 files changed, 5 insertions(+), 4 deletions(-)

(limited to 'Mailman')

diff --git a/Mailman/Gui/GUIBase.py b/Mailman/Gui/GUIBase.py
index 8e9171d6..a5437009 100644
--- a/Mailman/Gui/GUIBase.py
+++ b/Mailman/Gui/GUIBase.py
@@ -1,4 +1,4 @@
-# Copyright (C) 2002 by the Free Software Foundation, Inc.
+# Copyright (C) 2002-2003 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -140,11 +140,11 @@ class GUIBase:
             elif not cgidata.has_key(property):
                 continue
             elif isinstance(cgidata[property], ListType):
-                val = [x.value for x in cgidata[property]]
+                val = [Utils.websafe(x.value) for x in cgidata[property]]
             else:
-                val = cgidata[property].value
+                val = Utils.websafe(cgidata[property].value)
             # Coerce the value to the expected type, raising exceptions if the
-            # value is invalid
+            # value is invalid.
             try:
                 val = self._getValidValue(mlist, property, wtype, val)
             except ValueError:
diff --git a/Mailman/Gui/Topics.py b/Mailman/Gui/Topics.py
index 5f6de8d8..76bfd1e4 100644
--- a/Mailman/Gui/Topics.py
+++ b/Mailman/Gui/Topics.py
@@ -120,6 +120,7 @@ class Topics(GUIBase):
                 a pattern.  Incomplete topics will be ignored."""))
                 continue
             # Make sure the pattern was a legal regular expression
+            name = Utils.websafe(name)
             try:
                 re.compile(pattern)
             except (re.error, TypeError):
-- 
cgit v1.2.3