Strengthened escaping of user web data by including some characters that

some older browsers misinterpret as < or >.
author: Mark Sapiro <msapiro@value.net> 2011-04-25 16:26:13 -0700
committer: Mark Sapiro <msapiro@value.net> 2011-04-25 16:26:13 -0700
commit: 7ef6c582816cb349f240054064d495753a916408 (patch)
tree: 57ab4a00cad7b892e8ef64ac58237ef0c2d30a7b /Mailman/Utils.py
parent: 9bc9d9c391b0726d9b4538a79732f24f7d974443 (diff)
download: mailman2-7ef6c582816cb349f240054064d495753a916408.tar.gz
mailman2-7ef6c582816cb349f240054064d495753a916408.tar.xz
mailman2-7ef6c582816cb349f240054064d495753a916408.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 847e450e..9a29662b 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -425,7 +425,15 @@ def check_global_password(response, siteadmin=True):
 
 
 _ampre = re.compile('&amp;((?:#[0-9]+|[a-z]+);)', re.IGNORECASE)
+# Characters misinterpreted as < or > by some broken browsers.
+_broken_browser = {'\x8b': '&#8249;',
+                   '\x9b': '&#8250;',
+                   '\xbc': '&#188;',
+                   '\xbd': '&#190;',
+                  }
 def websafe(s):
+    for k in _broken_browser:
+        s = s.replace(k, _broken_browser[k])
     # Don't double escape html entities
     return _ampre.sub(r'&\1', cgi.escape(s, quote=True))
author	Mark Sapiro <msapiro@value.net>	2011-04-25 16:26:13 -0700
committer	Mark Sapiro <msapiro@value.net>	2011-04-25 16:26:13 -0700
commit	7ef6c582816cb349f240054064d495753a916408 (patch)
tree	57ab4a00cad7b892e8ef64ac58237ef0c2d30a7b /Mailman/Utils.py
parent	9bc9d9c391b0726d9b4538a79732f24f7d974443 (diff)
download	mailman2-7ef6c582816cb349f240054064d495753a916408.tar.gz mailman2-7ef6c582816cb349f240054064d495753a916408.tar.xz mailman2-7ef6c582816cb349f240054064d495753a916408.zip