[Mailman-Developers] Against CSS (CERT CA-2000-02)
Tokio Kikuchi
tkikuchi@is.kochi-u.ac.jp
Mon, 24 Jul 2000 18:59:14 +0900
Hi, Developers,
While I am working on Japanese translation of Mailman,
I realized there are many cases that HTML escaping
(like < to <) are needed in view of CERT Advisory
2000-02, <http://www.cert.org/advisories/CA-2000-02.html>.
This is also known as 'cross site scripting', see
<http://www.apache.org/info/css-security/>.
They are to be avoided by rewriting
doc.AddItem(Bold('No such list %s' % listname))
to
doc.AddItem(Bold('No such list %s' % cgi.escape(listname)))
I hope these corrections will be done in the nearest
future release.
Thank you.
--
Tokio Kikuchi, tkikuchi@is.kochi-u.ac.jp
http://weather.is.kochi-u.ac.jp/