FIX: Inputs are imcompletely escaped & saved (2.1 & 2.2)
Bug #558250 reported by
ikedasoji
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
New
|
High
|
Unassigned |
Bug Description
Inputs on admin pages are imcompletely escaped, then
the escaped values are saved (excpet 'info' property).
This expedient solution have caused following problems:
o Input including `"' breaks HTML formatting.
o `<' is not allowed in admin/user option value (it is
replaced with '<' in many contexts).
o 'info' in admin page might break HTML formatting with
some sort of tags (e.g. '</textarea>').
This patch solve these problems. Always unescaped
value is saved (except '<script>' in 'info') and
escaped only when it is displayed as HTML.
To post a comment you must log in.
The file mailman- 2.1.8-htmlescap e.patch was added: for 2.1.8