2.1] Rev 1788: Escaping of HTML entities for the web UI is now done more selectively.

noreply Wed, 04 Jul 2018 11:46:36 -0700

------------------------------------------------------------
revno: 1788
fixes bug: https://launchpad.net/bugs/1779445
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.1
timestamp: Wed 2018-07-04 11:41:14 -0700
message:
  Escaping of HTML entities for the web UI is now done more selectively.
modified:
  Mailman/Utils.py
  Mailman/htmlformat.py
  NEWS



--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1

Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to 
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription

=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py	2018-07-02 22:37:24 +0000
+++ Mailman/Utils.py	2018-07-04 18:41:14 +0000
@@ -473,7 +473,7 @@
 
 
 _ampre = re.compile('&amp;((?:#[0-9]+|[a-z]+);)', re.IGNORECASE)
-def websafe(s):
+def websafe(s, doubleescape=False):
     # If a user submits a form or URL with post data or query fragments
     # with multiple occurrences of the same variable, we can get a list
     # here.  Be as careful as possible.
@@ -488,8 +488,11 @@
         if isinstance(s, str):
             for k in mm_cfg.BROKEN_BROWSER_REPLACEMENTS:
                 s = s.replace(k, mm_cfg.BROKEN_BROWSER_REPLACEMENTS[k])
-    # Don't double escape html entities
-    return _ampre.sub(r'&\1', cgi.escape(s, quote=True))
+    if doubleescape:
+        return cgi.escape(s, quote=True)
+    else:
+        # Don't double escape html entities
+        return _ampre.sub(r'&\1', cgi.escape(s, quote=True))
 
 
 def nntpsplit(s):

=== modified file 'Mailman/htmlformat.py'
--- Mailman/htmlformat.py	2018-06-17 23:47:34 +0000
+++ Mailman/htmlformat.py	2018-07-04 18:41:14 +0000
@@ -495,7 +495,9 @@
     def __init__(self, name, text='', rows=None, cols=None, wrap='soft',
                  readonly=0):
         if isinstance(text, str):
-            safetext = Utils.websafe(text)
+            # Double escape HTML entities in non-readonly areas.
+            doubleescape = not readonly
+            safetext = Utils.websafe(text, doubleescape)
         else:
             safetext = text
         self.name = name

=== modified file 'NEWS'
--- NEWS	2018-07-02 22:37:24 +0000
+++ NEWS	2018-07-04 18:41:14 +0000
@@ -12,6 +12,9 @@
     - The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature added in 2.1.27 was
       not working.  This is fixed.  (LP: #1779774)
 
+    - Escaping of HTML entities for the web UI is now done more selectively.
+      (LP: #1779445)
+
 2.1.27 (22-Jun-2018)
 
   Security

_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org

[Mailman-checkins] [Branch ~mailman-coders/mailman/2.1] Rev 1788: Escaping of HTML entities for the web UI is now done more selectively.

Reply via email to