From e565a87da1a41016155cfd08c326e36901cb7531 Mon Sep 17 00:00:00 2001
From: bwarsaw <>
Date: Tue, 17 Feb 2004 19:27:46 +0000
Subject: _escape(): Everything except the 'info' variable gets the normal
web-safe escaping. 'info' sanitizes just tags. This
partially closes bugs 870028 and 881369.
---
Mailman/Gui/General.py | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
(limited to 'Mailman')
diff --git a/Mailman/Gui/General.py b/Mailman/Gui/General.py
index a33d1004..7cf1ee06 100644
--- a/Mailman/Gui/General.py
+++ b/Mailman/Gui/General.py
@@ -1,22 +1,24 @@
-# Copyright (C) 2001,2002 by the Free Software Foundation, Inc.
+# Copyright (C) 2001-2004 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
-#
+#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
-#
+#
# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
+# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
"""MailList mixin class managing the general options.
"""
+import re
+
from Mailman import mm_cfg
from Mailman import Utils
from Mailman import Errors
@@ -174,7 +176,7 @@ class General(GUIBase):
messages, overriding the header in the original message if
necessary (Explicit address inserts the value of reply_to_address).
-
+
There are many reasons not to introduce or override the
Reply-To: header. One is that some posters depend on
their own Reply-To: settings to convey their valid
@@ -283,7 +285,7 @@ class General(GUIBase):
A blank line separates paragraphs.
""")),
- ('send_welcome_msg', mm_cfg.Radio, (_('No'), _('Yes')), 0,
+ ('send_welcome_msg', mm_cfg.Radio, (_('No'), _('Yes')), 0,
_('Send welcome message to newly subscribed members?'),
_("""Turn this off only if you plan on subscribing people manually
and don't want them to know that you did so. This option is most
@@ -310,7 +312,7 @@ class General(GUIBase):
('admin_notify_mchanges', mm_cfg.Radio, (_('No'), _('Yes')), 0,
_('''Should administrator get notices of subscribes and
unsubscribes?''')),
-
+
('respond_to_post_requests', mm_cfg.Radio,
(_('No'), _('Yes')), 0,
_('Send mail to poster when their posting is held for approval?'),
@@ -338,7 +340,7 @@ class General(GUIBase):
# to tell if all were deselected!
0, _('''Default options for new members joining this list.'''),
-
+
_("""When a new member is subscribed to this list, their initial
set of options is taken from the this variable's setting.""")),
@@ -430,6 +432,15 @@ class General(GUIBase):
else:
GUIBase._setValue(self, mlist, property, val, doc)
+ def _escape(self, property, value):
+ # The 'info' property allows HTML, but lets sanitize it to avoid XSS
+ # exploits. Everything else should be fully escaped.
+ if property <> 'info':
+ return GUIBase._escape(self, property, value)
+ # Sanitize tags but nothing else. Not the best
+ # solution, but expedient.
+ return re.sub(r'<([/]?script.*?)>', r'<\1>', value)
+
def _postValidate(self, mlist, doc):
if not mlist.reply_to_address.strip() and \
mlist.reply_goes_to_list == 2:
--
cgit v1.2.3