Comment 1 for bug 557937

1) It is only by accident I saw this report. All Mailman bugs, even for 2.1 should be reported at <https://bugs.launchpad.net/mailman>. The sourceforge tracker is only available so old URLs to bug reports still work.

2) I have confirmed the issue. It is because of the line
    <link rel="SHORTCUT ICON" href="<mm-favicon>">
in the template. If you remove the 'link' tag, you can edit the rest of the template.

3) There are two ways to fix this. In general, link tags are a viable attack vector in some browsers, so I don't want to just allow them. I could just remove the offending link tag from the template, but people may like it and that wouldn't fix the problem if there were previously edited site, domain or list versions of the template in the installation.

So I have opted to fix this by exempting this specific tag with this patch:

--- Mailman/Utils.py 2008-11-13 04:02:29 +0000
+++ Mailman/Utils.py 2008-12-05 22:36:30 +0000
@@ -905,7 +905,8 @@
 # Many thanks are due to Moritz Naumann for his assistance with this.
 _badwords = [
     '<i?frame',
- '<link',
+ # Kludge to allow the specific tag that's in the options.html template.
+ '<link(?! rel="SHORTCUT ICON" href="<mm-favicon>">)',
     '<meta',
     '<script',
     r'(?:^|\W)j(?:ava)?script(?:\W|$)',