------------------------------------------------------------ revno: 1788 fixes bug: https://launchpad.net/bugs/1779445 committer: Mark Sapiro <m...@msapiro.net> branch nick: 2.1 timestamp: Wed 2018-07-04 11:41:14 -0700 message: Escaping of HTML entities for the web UI is now done more selectively. modified: Mailman/Utils.py Mailman/htmlformat.py NEWS
-- lp:mailman/2.1 https://code.launchpad.net/~mailman-coders/mailman/2.1 Your team Mailman Checkins is subscribed to branch lp:mailman/2.1. To unsubscribe from this branch go to https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Utils.py' --- Mailman/Utils.py 2018-07-02 22:37:24 +0000 +++ Mailman/Utils.py 2018-07-04 18:41:14 +0000 @@ -473,7 +473,7 @@ _ampre = re.compile('&((?:#[0-9]+|[a-z]+);)', re.IGNORECASE) -def websafe(s): +def websafe(s, doubleescape=False): # If a user submits a form or URL with post data or query fragments # with multiple occurrences of the same variable, we can get a list # here. Be as careful as possible. @@ -488,8 +488,11 @@ if isinstance(s, str): for k in mm_cfg.BROKEN_BROWSER_REPLACEMENTS: s = s.replace(k, mm_cfg.BROKEN_BROWSER_REPLACEMENTS[k]) - # Don't double escape html entities - return _ampre.sub(r'&\1', cgi.escape(s, quote=True)) + if doubleescape: + return cgi.escape(s, quote=True) + else: + # Don't double escape html entities + return _ampre.sub(r'&\1', cgi.escape(s, quote=True)) def nntpsplit(s): === modified file 'Mailman/htmlformat.py' --- Mailman/htmlformat.py 2018-06-17 23:47:34 +0000 +++ Mailman/htmlformat.py 2018-07-04 18:41:14 +0000 @@ -495,7 +495,9 @@ def __init__(self, name, text='', rows=None, cols=None, wrap='soft', readonly=0): if isinstance(text, str): - safetext = Utils.websafe(text) + # Double escape HTML entities in non-readonly areas. + doubleescape = not readonly + safetext = Utils.websafe(text, doubleescape) else: safetext = text self.name = name === modified file 'NEWS' --- NEWS 2018-07-02 22:37:24 +0000 +++ NEWS 2018-07-04 18:41:14 +0000 @@ -12,6 +12,9 @@ - The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature added in 2.1.27 was not working. This is fixed. (LP: #1779774) + - Escaping of HTML entities for the web UI is now done more selectively. + (LP: #1779445) + 2.1.27 (22-Jun-2018) Security
_______________________________________________ Mailman-checkins mailing list Mailman-checkins@python.org Unsubscribe: https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org