------------------------------------------------------------
revno: 1302
committer: Mark Sapiro <[email protected]>
branch nick: 2.1
timestamp: Sun 2011-05-01 09:21:29 -0700
message:
Made the web escaping of additional characters a configuration setting.
modified:
Mailman/Defaults.py.in
Mailman/Utils.py
NEWS
--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1
Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Defaults.py.in'
--- Mailman/Defaults.py.in 2011-04-26 02:10:06 +0000
+++ Mailman/Defaults.py.in 2011-05-01 16:21:29 +0000
@@ -201,6 +201,31 @@
WEB_HIGHLIGHT_COLOR = '#dddddd' # If true, alternating rows
# in listinfo & admin display
+# User entered data is escaped for redisplay in web responses to avoid Cross
+# Site Scripting (XSS) attacks. The normal escaping replaces the characters
+# <, >, & and " with the respective HTML entities <, >, & and
+# ". There are apparently some older, broken browsers that misinterpret
+# certain non-ascii characters as <, > or ". The following two settings
+# control whether additional characters are escaped, and what characters are
+# replaced with what. Note that in character sets that represent some
+# characters as multi-byte sequences, enabling the escaping of additional
+# characters can replace part of a multi-byte sequence with an HTML entity,
+# thus breaking an otherwise harmless character.
+#
+# Enable the replacement of additional characters when escaping strings for
+# the web.
+BROKEN_BROWSER_WORKAROUND = No
+#
+# If the above setting is Yes, the following dictionary definition determines
+# what additional characters are replaced with what.
+BROKEN_BROWSER_REPLACEMENTS = {'\x8b': '‹', # single left angle quote
+ '\x9b': '›', # single right angle quote
+ '\xbc': '¼', # < plus high order bit
+ '\xbe': '¾', # > plus high order bit
+ '\xa2': '¢', # " plus high order bit
+ }
+
+
�
#####
# Archive defaults
=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py 2011-04-26 15:45:42 +0000
+++ Mailman/Utils.py 2011-05-01 16:21:29 +0000
@@ -425,19 +425,13 @@
�
_ampre = re.compile('&((?:#[0-9]+|[a-z]+);)', re.IGNORECASE)
-# Characters misinterpreted as < or > by some broken browsers.
-_broken_browser = {'\x8b': '‹',
- '\x9b': '›',
- '\xbc': '¼',
- '\xbe': '¾',
- '\xa2': '¢'
- }
def websafe(s):
- # Archiver can pass unicode here. Just skip them as the
- # archiver escapes non-ascii anyway.
- if isinstance(s, str):
- for k in _broken_browser:
- s = s.replace(k, _broken_browser[k])
+ if mm_cfg.BROKEN_BROWSER_WORKAROUND:
+ # Archiver can pass unicode here. Just skip them as the
+ # archiver escapes non-ascii anyway.
+ if isinstance(s, str):
+ for k in mm_cfg.BROKEN_BROWSER_REPLACEMENTS:
+ s = s.replace(k, mm_cfg.BROKEN_BROWSER_REPLACEMENTS[k])
# Don't double escape html entities
return _ampre.sub(r'&\1', cgi.escape(s, quote=True))
=== modified file 'NEWS'
--- NEWS 2011-04-25 23:52:35 +0000
+++ NEWS 2011-05-01 16:21:29 +0000
@@ -41,6 +41,13 @@
is responded to or just logged. It defaults to Yes which is different
from prior behavior. Bug #410236.
+ - Two new mm_cfg.py settings, BROKEN_BROWSER_WORKAROUND and
+ BROKEN_BROWSER_REPLACEMENTS, have been added to control escaping of
+ additional characters beyond the standard <, >, &, and " in the web UI.
+ See the documentation of these settings in Defaults.py. The default
+ values for these settings result in no change from the prior release.
+ Bug #774588.
+
i18n
- Fixed a missing format character in the Spanish translation.
_______________________________________________
Mailman-checkins mailing list
[email protected]
Unsubscribe:
http://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
