Error while editiing general list information page

It looks like a few people (eg on Sourceforge) have reported that the suspicious HTML check is too suspicious since it was introduced in version 2.1.9; for instance rejecting innocent META tags. Also, it links to http://wiki.list.org/x/jYA9 for more information, but there is no information there about the reasons for rejection leading to frustration for the list owner.

"The page you saved contains suspicious HTML that could potentially expose your users to cross-site scripting attacks. This change has therefore been rejected. If you still want to make these changes, you must have shell access to your Mailman server.
See FAQ 4.48."

Could either the list of "badwords" be moved to Defaults.py, or there be an option to say that we trust list owners to edit their own HTML?

I've worked around by hacking /usr/lib/mailman/Mailman/Cgi/edithtml.py line 162.

You have hijacked a totally different (invalid) bug report. This original 'bug' is the result of a lack of permission to create or write the lists/LISTNAME/en/listinfo.html file.

The SF bug #2164798 which is relevant to your issue was created after the migration to Launchpad as noted in that bug. That bug was closed and was fixed in Mailman 2.1.12.

The web interface will be entirely redone for MM 3 and this is unlikely to be an issue there. I did consider a "trusted list admin" option for the suspicious HTML check, but decided against it.

Also note that the reference to FAQ 4.48 is not intended to explain the "suspicious html". It is intended to explain how to install the template without triggering the check.

Oops, sorry. I was trying too hard not to create a duplicate, and am surprised it isn't already on launchpad, having seen the Sourceforge report you mention. Should I resubmit as a new bug/request?

I'm using 2.1.12 and still seeing the error - I gather the fix was to add a lookahead exclusion based on the current options template. Having seen quite a few recent injected HTML attacks on the lines of Gumblar, I wonder if it would be adequate to block on the basis only of meta refresh, iframe, script src= and certain JS keywords like unescape and str_replace; on the other hand, the badwords list is probably not that comprehensive: it doesn't exclude possible XSS routes like embed, object or the obscure table background=javascript:....

IMHO a "trusted list admin" option would cover most needs most easily - giving SSH access to an (untrusted?) user might create greater security problems.

I shared the list administrator's misunderstanding of the FAQ reference because of context.

If by "still seeing the error" you mean that the default options.html template generates the "suspicious html" message in the GUI editor, then I don't understand why, because that was fixed in 2.1.12 as you gather, by adding a negative lookahead to except that specific <link> tag.

If you mean just that the test is too strict because it thinks various innocent tags are suspicious, then yes, you are correct. It does that. And, it should be a whitelist rather than a blacklist which would make it even stricter.

It is not intended to be a 100% perfect XSS detector or even close. It is intended to require that anything remotely suspicious be installed by an admin with shell access. This doesn't mean that list admins should be given shell access to do this. That would defeat the whole purpose of the test. It means that only a site admin has authority to bypass the test.

As I said, the web interface will be redone completely for MM 3. It is not clear that this will have any relevance there, but if you wish to submit an RFE for the "trusted list admin" option that would allow list admins to alter the web interface for their list in any way they wish, please do,

However, nothing is likely to change on the 2.1 branch.