Uh, sorry for the simple question (but it will be easy to answer). In non-digest mode, footer option - How do I get a doublequote to appear instead of "e? Like if I wanted it to read "This is a test."
Thanks!
-- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.4.0 - Release Date: 2/22/2005
John Fleming wrote:
Uh, sorry for the simple question (but it will be easy to answer). In non-digest mode, footer option - How do I get a doublequote to appear instead of "e? Like if I wanted it to read "This is a test."
The escaping of certain characters >, <, & and " entered on the admin web pages is a result of "cleansing" to prevent XSS attacks. This means if you want to put these things in msg_footer or whatever, you have to use bin/config_list (or withlist) to do it.
e.g.
bin/config_list -i filename listname
where filename contains for example
msg_footer=""" a line with "quoted" word some other stuff """
-- Mark Sapiro msapiro@value.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
----- Original Message ----- From: "Mark Sapiro" msapiro@value.net To: "John Fleming" john@wa9als.com; mailman-users@python.org Sent: Friday, February 25, 2005 4:03 PM Subject: Re: [Mailman-Users] Use of " in footer
John Fleming wrote:
Uh, sorry for the simple question (but it will be easy to answer). In non-digest mode, footer option - How do I get a doublequote to appear instead of "e? Like if I wanted it to read "This is a test."
The escaping of certain characters >, <, & and " entered on the admin web pages is a result of "cleansing" to prevent XSS attacks. This means if you want to put these things in msg_footer or whatever, you have to use bin/config_list (or withlist) to do it.
e.g.
bin/config_list -i filename listname
where filename contains for example
msg_footer=""" a line with "quoted" word some other stuff """
Thanks, Mark. So if I make filename containing:
msg_footer=""" This is a "test". some other stuff """
and then run bin/config_list -i filename listname, what exactly would I get? IOW, do the lines above REPLACE the default I see in the web interface or ADD TO it? tnx
-- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.4.0 - Release Date: 2/22/2005
John Fleming wrote:
Thanks, Mark. So if I make filename containing:
msg_footer=""" This is a "test". some other stuff """
and then run bin/config_list -i filename listname, what exactly would I get? IOW, do the lines above REPLACE the default I see in the web interface or ADD TO it? tnx
They will replace what you currently have. To add to, you need to put the existing lines in filename too.
Also note in the example I gave and yours above, there will be a new-line at the start of the footer which will result in an "extra" blank line. It is probably preferable to use
msg_footer="""This is a "test". some other stuff """
instead.
Also note, once you have set msg_footer (or whatever) containing '"' characters in this way, any edit at all to that page in the admin web interface will change the '"' back to '"'. Thus you're commited from then on to make changes to the items on that page with config_list.
-- Mark Sapiro msapiro@value.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
msg_footer="""This is a "test". some other stuff """
instead.
OK, I got it to work like I want. Is there a security risk to doing the footer this way?
Many thanks!
-- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.4.0 - Release Date: 2/22/2005
John Fleming wrote:
OK, I got it to work like I want. Is there a security risk to doing the footer this way?
No. there's no security issue. Just the issue of an update from the web page undoing what you've done.
The security issue is protecting against a malicious list administrator perpetrating attacks by entering scripts into attribute boxes. For general information about this kind of attack, try http://www.google.com/search?q=XSS
Mailman protects against this by escaping all HTML tag like stuff that's entered in these web forms.
There's no issue with putting the unescaped characters in via config_list since only a trusted site administrator can do this, and presumably won't put in any villainous stuff.
-- Mark Sapiro msapiro@value.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
John Fleming
-
Mark Sapiro