[Mailman-Developers] HTML escaping in text blobs, was Re: Admin-controlled rejectiontext...

Mark Sapiro msapiro at value.net
Fri Jan 21 05:40:51 CET 2005

Bryan Fullerton wrote:

>On Thu, 20 Jan 2005 18:55:51 -0800, Mark Sapiro <msapiro at value.net> wrote:
>> First is all text entered via the web admin interface is HTML escaped
>> resulting in the &lt;, etc.
>> To avoid this, set the text for member_moderation_notice using
>> bin/config_list instead of using the web interface.
>This generally needs a better solution. "Use bin/config_list" is fine
>as a solution for site admins, but isn't useful for list admins -
>they're basically stuck until the site admins manually handle each
>Perhaps parsing the escaped bits or tag replacement for the text blobs
>submitted via the web interface? This isn't a new issue on the web,
>other people using python must have found some way of dealing with it.

I agree that it would be good to have a solution that would allow
list-admins to put HTML tags or even just "&" characters in some of
these fields. Currently, the 'info' field is treated specially and
allows anything but a </?script.*> tag. Everything else is fully HTML

The purpose of this is to prevent XSS attacks presumably by list
admins. Since the contents of these fields are displayed on the admin
web pages regardless of how they are entered, if list admins are
deemed untrustworthy at the site level, they shouldn't be allowed to
put this stuff in by any method.

I personally know very little about XSS attacks and am unable to
comment intelligently on how much security is required.

>Or, alternatively, perhaps email commands for updating the various
>text blobs? (that has other charset issues, but...)

Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Developers mailing list