Patches item #1520343, was opened at 2006-07-11 13:34 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1520343&group_id=103 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Web UI Group: Mailman 2.2 / 3.0 Status: Open Resolution: None Priority: 5 Submitted By: ikedasoji (ikedasoji) Assigned to: Nobody/Anonymous (nobody) Summary: Inputs are imcompletely escaped & saved (2.1 & 2.2) Initial Comment: Inputs on admin pages are imcompletely escaped, then the escaped values are saved (excpet 'info' property). This expedient solution have caused following problems: o Input including `"' breaks HTML formatting. o `<' is not allowed in admin/user option value (it is replaced with '<' in many contexts). o 'info' in admin page might break HTML formatting with some sort of tags (e.g. '</textarea>'). This patch solve these problems. Always unescaped value is saved (except '<script>' in 'info') and escaped only when it is displayed as HTML. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1520343&group_id=103