html in listinfo is quoted
Bug #266008 reported by
Barry Warsaw
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Fix Released
|
High
|
Barry Warsaw |
Bug Description
If you enter html into the 'info' text area, the
listinfo page sees that html as quoted, not as valid
html. This is a result of the XSS hole closure in
2.1.4, but some innocent tags should be allowed back in.
[http://
To post a comment you must log in.
The same goes if you use Umlauts (åäö, or ¨ å
ö) in the welcome-tect text-area. First it converts the
Umlaut-character to an decimal reference (ä), and after
that it converts the & character into an Character entity.
In other words; when the user gets the welcome-email that
contains ä characters (ä), it is converted twice: This
is the code-soup for this character that finally arives:
ä instead of the single ä character