Suspicious HTML in default user-specific options template
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| GNU Mailman |
Fix Released
|
Undecided
|
Mark Sapiro | ||
Bug Description
The line
<link rel="SHORTCUT ICON" href="<
appears near the top of the default user-specific options template in various languages including en, es, and fr. The link tag is flagged as a HTML _badwords in line 898 of Utils.py.
The consequence is most attempts to edit the user-specific options template via the web-based administrative interface will result in a "suspicious html" error. The easiest solution would be to remove the <link...> from the templates.
A better solution could be to allow the site administrator to override the warning. (Perhaps I will try to write such a patch once I'm a little more familiar with Python.)
(A too-good-to-be-true solution would be to figure out how to actually detect vulnerable HTML rather than simply identify tags and attributes that could be abused...)
| David H. Brown (dave-davidhbrown) wrote | #1 |
| Mark Sapiro (msapiro) wrote | #2 |
| Changed in mailman: | |
| assignee: | nobody → msapiro |
| status: | New → Fix Released |
Forgot to mention... the site I have running is using version 2.1.10; I also checked the code in 2.1.11 Version 3.0.0.a2 seems to be using a much smaller set of checks, possibly just disallowing the <script> tag? From edithtml.py part of def ChangeHTML :
code = re.sub(
(2.1.11 has if Utils.suspiciou