Hi,
A quick question that may be answered elsewhere, and if so I
apologize. In the Web-based list archive, any HTML tags that are
included in the "subject" line of a message get sent to the browser
as HTML, and so start opening elements like <input>, <pre>, or
inserting <hr>s. It would be a very good idea to translate the HTML
angle-bracket characters to < > (or the numeric equivalents) at
a minimum-- ampersands should probably get the same treatment. As
things are now, someone could post a message with a subject line
containing a 'script' element that points to a security-exploiting
piece of JS somewhere, thus making that month's archive into a trojan
horse.
--
Eric A. Meyer ([EMAIL PROTECTED]) http://www.meyerweb.com/eric/
Author, "Cascading Style Sheets: The Definitive Guide" and
"CSS 2.0 Programmer's Reference" http://www.meyerweb.com/eric/books/
------------------------------------------------------
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
