GNU Mailman

FIX: Inputs are imcompletely escaped & saved (2.1 & 2.2)

Bug #558250 reported by ikedasoji
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
New
High
Unassigned

Bug Description

Inputs on admin pages are imcompletely escaped, then
the escaped values are saved (excpet 'info' property).
 This expedient solution have caused following problems:
o Input including `"' breaks HTML formatting.
o `<' is not allowed in admin/user option value (it is
replaced with '<' in many contexts).
o 'info' in admin page might break HTML formatting with
some sort of tags (e.g. '</textarea>').

This patch solve these problems. Always unescaped
value is saved (except '<script>' in 'info') and
escaped only when it is displayed as HTML.

Revision history for this message
ikedasoji (ikedasoji) wrote :

The file mailman-2.1.8-htmlescape.patch was added: for 2.1.8

Revision history for this message
ikedasoji (ikedasoji) wrote :

The file mailman-r7929-htmlescape.patch was added: for 2.2.0a1 (untested)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.