------------------------------------------------------------
revno: 1188
committer: Mark Sapiro <[email protected]>
branch nick: 2.1
timestamp: Sat 2009-08-01 12:22:34 -0700
message:
XSS protection in the web interface went too far in escaping HTML
entities. Fixed.
modified:
Mailman/Utils.py
NEWS
--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1
Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription.
=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py 2009-07-31 22:37:29 +0000
+++ Mailman/Utils.py 2009-08-01 19:22:34 +0000
@@ -424,8 +424,10 @@
�
+_ampre = re.compile('&((?:#[0-9]+|[a-z]+);)', re.IGNORECASE)
def websafe(s):
- return cgi.escape(s, quote=True)
+ # Don't double escape html entities
+ return _ampre.sub(r'&\1', cgi.escape(s, quote=True))
def nntpsplit(s):
=== modified file 'NEWS'
--- NEWS 2009-08-01 19:14:32 +0000
+++ NEWS 2009-08-01 19:22:34 +0000
@@ -8,6 +8,9 @@
Bug Fixes and other patches
+ - XSS protection in the web interface went too far in escaping HTML
+ entities. Fixed.
+
- Removed or anonymized additional headers in posts to anonymous lists.
- Fixed a bug that could cause incorrect threading of replies to archived
_______________________________________________
Mailman-checkins mailing list
[email protected]
Unsubscribe:
http://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
