[Mailman-Users] Use of " in footer

Mark Sapiro msapiro at value.net
Sat Feb 26 00:41:38 CET 2005

John Fleming wrote:
>OK, I got it to work like I want.  Is there a security risk to doing the 
>footer this way?

No. there's no security issue. Just the issue of an update from the web
page undoing what you've done.

The security issue is protecting against a malicious list administrator
perpetrating attacks by entering scripts into attribute boxes. For
general information about this kind of attack, try

Mailman protects against this by escaping all HTML tag like stuff
that's entered in these web forms.

There's no issue with putting the unescaped characters in via
config_list since only a trusted site administrator can do this, and
presumably won't put in any villainous stuff.

Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list