Suspicious HTML in default user-specific options template
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Fix Released
|
Undecided
|
Mark Sapiro |
Bug Description
The line
<link rel="SHORTCUT ICON" href="<
appears near the top of the default user-specific options template in various languages including en, es, and fr. The link tag is flagged as a HTML _badwords in line 898 of Utils.py.
The consequence is most attempts to edit the user-specific options template via the web-based administrative interface will result in a "suspicious html" error. The easiest solution would be to remove the <link...> from the templates.
A better solution could be to allow the site administrator to override the warning. (Perhaps I will try to write such a patch once I'm a little more familiar with Python.)
(A too-good-to-be-true solution would be to figure out how to actually detect vulnerable HTML rather than simply identify tags and attributes that could be abused...)
Forgot to mention... the site I have running is using version 2.1.10; I also checked the code in 2.1.11 Version 3.0.0.a2 seems to be using a much smaller set of checks, possibly just disallowing the <script> tag? From edithtml.py part of def ChangeHTML :
code = re.sub( r'<([/] ?script. *?)>', r'<\1>', code)
(2.1.11 has if Utils.suspiciou sHTML(code) :...)