Feature request: Option to trust list owners' HTML
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
New
|
Undecided
|
Unassigned |
Bug Description
List owners may want to edit the list information or subscribe pages to link to CSS or JS on a main site, to use a standard style or do form validation, for example. The checks against cross-site scripting prevent this, and the text suggesting shell access may be inappropriate. The site admin may trust the list owners, but it may not be desirable for privacy or firewall reasons to give them SSH access to the Mailman server. (previously suggested on bug 266273)
It would therefore be very useful to have a global option to turn off the XSS checking as needed. A simple patch is attached to provide this option. I didn't find existing translations for the relevant error messages (in French or Spanish at least).