=== modified file 'Mailman/Cgi/edithtml.py'
--- Mailman/Cgi/edithtml.py 2010-03-29 20:48:11 +0000
+++ Mailman/Cgi/edithtml.py 2011-05-23 10:01:27 +0000
@@ -161,14 +161,15 @@
doc.AddItem('
')
return
code = cgi_info['html_code'].value
- if Utils.suspiciousHTML(code):
+ if Utils.suspiciousHTML(code) and not mm_cfg.OWNERS_CAN_USE_FULL_HTML:
doc.AddItem(Header(3,
_("""The page you saved contains suspicious HTML that could
potentially expose your users to cross-site scripting attacks. This change
has therefore been rejected. If you still want to make these changes, you
-must have shell access to your Mailman server.
+must contact the site administrator, or have shell access to your Mailman
+server.
""")))
- doc.AddItem(_('See '))
+ doc.AddItem(_('For information on installing via shell access, see '))
doc.AddItem(Link(
'http://wiki.list.org/x/jYA9',
_('FAQ 4.48.')))
=== modified file 'Mailman/Defaults.py.in'
--- Mailman/Defaults.py.in 2011-05-01 16:21:29 +0000
+++ Mailman/Defaults.py.in 2011-05-23 09:32:37 +0000
@@ -901,6 +901,12 @@
# log in as the member and make global changes.
OWNERS_CAN_CHANGE_MEMBER_PASSWORDS = No
+# Set this variable to Yes to bypass anti-XSS checks on edits to the public
+# pages for lists. Set it to No if list owners aren't all trustworthy.
+# Yes allows a list owner to add javascript to the public HTML and
+# thereby expose users to cross-site scripting attacks.
+OWNERS_CAN_USE_FULL_HTML = No
+
# Should held messages be saved on disk as Python pickles or as plain text?
# The former is more efficient since we don't need to go through the
# parse/generate roundtrip each time, but the latter might be preferred if you