Bryan Fullerton wrote: >On Thu, 20 Jan 2005 18:55:51 -0800, Mark Sapiro <[EMAIL PROTECTED]> wrote: >> First is all text entered via the web admin interface is HTML escaped >> resulting in the <, etc. >> >> To avoid this, set the text for member_moderation_notice using >> bin/config_list instead of using the web interface. > >This generally needs a better solution. "Use bin/config_list" is fine >as a solution for site admins, but isn't useful for list admins - >they're basically stuck until the site admins manually handle each >request. > >Perhaps parsing the escaped bits or tag replacement for the text blobs >submitted via the web interface? This isn't a new issue on the web, >other people using python must have found some way of dealing with it.
I agree that it would be good to have a solution that would allow list-admins to put HTML tags or even just "&" characters in some of these fields. Currently, the 'info' field is treated specially and allows anything but a </?script.*> tag. Everything else is fully HTML escaped. The purpose of this is to prevent XSS attacks presumably by list admins. Since the contents of these fields are displayed on the admin web pages regardless of how they are entered, if list admins are deemed untrustworthy at the site level, they shouldn't be allowed to put this stuff in by any method. I personally know very little about XSS attacks and am unable to comment intelligently on how much security is required. >Or, alternatively, perhaps email commands for updating the various >text blobs? (that has other charset issues, but...) -- Mark Sapiro <[EMAIL PROTECTED]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan _______________________________________________ Mailman-Developers mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-developers Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
