[Mailman-Users] Web-based list archive problem
Eric A. Meyer
eric at meyerweb.com
Tue May 14 18:32:19 CEST 2002
Hi,
A quick question that may be answered elsewhere, and if so I
apologize. In the Web-based list archive, any HTML tags that are
included in the "subject" line of a message get sent to the browser
as HTML, and so start opening elements like <input>, <pre>, or
inserting <hr>s. It would be a very good idea to translate the HTML
angle-bracket characters to < > (or the numeric equivalents) at
a minimum-- ampersands should probably get the same treatment. As
things are now, someone could post a message with a subject line
containing a 'script' element that points to a security-exploiting
piece of JS somewhere, thus making that month's archive into a trojan
horse.
--
Eric A. Meyer (eric at meyerweb.com) http://www.meyerweb.com/eric/
Author, "Cascading Style Sheets: The Definitive Guide" and
"CSS 2.0 Programmer's Reference" http://www.meyerweb.com/eric/books/
More information about the Mailman-Users
mailing list