#421 FIX: Inputs are imcompletely escaped & saved (2.1 & 2.2)

Mailman 2.2 / 3.0
open
Tokio Kikuchi
Web UI (73)
7
2006-07-11
2006-07-11
ikedasoji
No

Inputs on admin pages are imcompletely escaped, then
the escaped values are saved (excpet 'info' property).
This expedient solution have caused following problems:
o Input including `"' breaks HTML formatting.
o `<' is not allowed in admin/user option value (it is
replaced with '&lt;' in many contexts).
o 'info' in admin page might break HTML formatting with
some sort of tags (e.g. '</textarea>').

This patch solve these problems. Always unescaped
value is saved (except '<script>' in 'info') and
escaped only when it is displayed as HTML.

Discussion

  • ikedasoji
    ikedasoji
    2006-07-11

    • priority: 5 --> 7
     
  • ikedasoji
    ikedasoji
    2006-07-11

    for 2.2.0a1 (untested)

     
  • ikedasoji
    ikedasoji
    2006-07-11

    • assigned_to: nobody --> tkikuchi
    • summary: Inputs are imcompletely escaped & saved (2.1 & 2.2) --> FIX: Inputs are imcompletely escaped & saved (2.1 & 2.2)