[Mailman-Users] Use of " in footer
Mark Sapiro
msapiro at value.net
Sat Feb 26 00:41:38 CET 2005
John Fleming wrote:
>
>OK, I got it to work like I want. Is there a security risk to doing the
>footer this way?
No. there's no security issue. Just the issue of an update from the web
page undoing what you've done.
The security issue is protecting against a malicious list administrator
perpetrating attacks by entering scripts into attribute boxes. For
general information about this kind of attack, try
http://www.google.com/search?q=XSS
Mailman protects against this by escaping all HTML tag like stuff
that's entered in these web forms.
There's no issue with putting the unescaped characters in via
config_list since only a trusted site administrator can do this, and
presumably won't put in any villainous stuff.
--
Mark Sapiro <msapiro at value.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users
mailing list