[Mailman-Users] Removing illegal character user names

Stephen J. Turnbull stephen at xemacs.org
Mon Mar 12 07:03:51 CET 2007

Mark Sapiro writes:

 > I understand the point about good practice, and we do try to validate
 > user input in Mailman to avoid possible XSS attacks via the web
 > interface. What we're dealing with here are syntactically validated
 > email addresses so the really nasty stuff has already been caught.
 > Still, I'm interested in feedback from anyone who has an opinion about
 > this.

How about a separate query box for getting at these unusual (if not
bogus) addresses?  Then the screenscrapers should continue to work,
unless their parsers will break if the output is not identical up to
the </html>.

For example, add to the member search query a "find invalid addresses"
button.  This should not cause any problems unless such addresses are
present, and you don't need to worry about 100% RFC correctness (ie,
you can be stricter than RFC 2822 demands) since any actual actions
will be manual.

More information about the Mailman-Users mailing list