[Bug 266273] Re: Error while editiing general list information page

Mark Sapiro mark at msapiro.net
Sun Feb 21 05:00:42 CET 2010


If by "still seeing the error" you mean that the default options.html
template generates the "suspicious html" message in the GUI editor, then
I don't understand why, because that was fixed in 2.1.12 as you gather,
by adding a negative lookahead to except that specific <link> tag.

If you mean just that the test is too strict because it thinks various
innocent tags are suspicious, then yes, you are correct. It does that.
And, it should be a whitelist rather than a blacklist which would make
it even stricter.

It is not intended to be a 100% perfect XSS detector or even close. It
is intended to require that anything remotely suspicious be installed by
an admin with shell access. This doesn't mean that list admins should be
given shell access to do this. That would defeat the whole purpose of
the test. It means that only a site admin has authority to bypass the
test.

As I said, the web interface will be redone completely for MM 3. It is
not clear that this will have any relevance there, but if you wish to
submit an RFE for the "trusted list admin" option that would allow list
admins to alter the web interface for their list in any way they wish,
please do,

However, nothing is likely to change on the 2.1 branch.

-- 
Error while editiing general list information page
https://bugs.launchpad.net/bugs/266273
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.


More information about the Mailman-coders mailing list