[ mailman-Patches-1520343 ] Inputs are imcompletely escaped & saved (2.1 & 2.2)
SourceForge.net
noreply at sourceforge.net
Tue Jul 11 06:34:10 CEST 2006
Patches item #1520343, was opened at 2006-07-11 13:34
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1520343&group_id=103
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Web UI
Group: Mailman 2.2 / 3.0
Status: Open
Resolution: None
Priority: 5
Submitted By: ikedasoji (ikedasoji)
Assigned to: Nobody/Anonymous (nobody)
Summary: Inputs are imcompletely escaped & saved (2.1 & 2.2)
Initial Comment:
Inputs on admin pages are imcompletely escaped, then
the escaped values are saved (excpet 'info' property).
This expedient solution have caused following problems:
o Input including `"' breaks HTML formatting.
o `<' is not allowed in admin/user option value (it is
replaced with '<' in many contexts).
o 'info' in admin page might break HTML formatting with
some sort of tags (e.g. '</textarea>').
This patch solve these problems. Always unescaped
value is saved (except '<script>' in 'info') and
escaped only when it is displayed as HTML.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1520343&group_id=103
More information about the Mailman-coders
mailing list