GNU Mailman

html in listinfo is quoted

Bug #266008 reported by Barry Warsaw
2
Affects Status Importance Assigned to Milestone
GNU Mailman
Fix Released
High
Barry Warsaw
GNU Mailman 2.1-stable

Bug Description

If you enter html into the 'info' text area, the
listinfo page sees that html as quoted, not as valid
html. This is a result of the XSS hole closure in
2.1.4, but some innocent tags should be allowed back in.

[http://sourceforge.net/tracker/index.php?func=detail&aid=870028&group_id=103&atid=100103]

Tags: web-cgi
Revision history for this message
Hertell (hertell) wrote :

The same goes if you use Umlauts (åäö, or ¨ å
ö) in the welcome-tect text-area. First it converts the
Umlaut-character to an decimal reference (&#228), and after
that it converts the & character into an Character entity.

In other words; when the user gets the welcome-email that
contains ä characters (ä), it is converted twice: This
is the code-soup for this character that finally arives:
ä instead of the single ä character

Revision history for this message
Hertell (hertell) wrote :

I tracked down the encoding-problem to the following row in
Defaults.py:
add_language('en', _('English (USA)'), 'us-ascii')

By changing the encoding to iso-8859-1 fixes the problem.
add_language('en', _('English (USA)'), 'iso-8859-1')

You probably ask why I don't use the admin-pages in my local
language? The ansver is that I prefer English before
anything else.

Revision history for this message
Barry Warsaw (barry) wrote :

The original bug is now fixed in cvs, for 2.1.5.

The one that hertell describes is not so much a bug but a
byproduct of the design. If you want to include non-ascii
characters in the welcome text, then you have to switch to a
language that includes those characters in its encoding,
enter them, then switch back to English.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.