http://www.mail-archive.com/mailman-developers%40python.org/msg12017.html diff -Naurp mailman-2.1.13/Mailman/Cgi/listinfo.py mailman-2.1.13.oden/Mailman/Cgi/listinfo.py --- mailman-2.1.13/Mailman/Cgi/listinfo.py 2009-12-22 19:00:43.000000000 +0100 +++ mailman-2.1.13.oden/Mailman/Cgi/listinfo.py 2010-10-01 13:33:04.481678420 +0200 @@ -94,7 +94,7 @@ def listinfo_overview(msg=''): else: advertised.append((mlist.GetScriptURL('listinfo'), mlist.real_name, - mlist.description)) + Utils.websafe(mlist.description))) if msg: greeting = FontAttr(msg, color="ff5060", size="+1") else: diff -Naurp mailman-2.1.13/Mailman/HTMLFormatter.py mailman-2.1.13.oden/Mailman/HTMLFormatter.py --- mailman-2.1.13/Mailman/HTMLFormatter.py 2009-12-22 19:00:43.000000000 +0100 +++ mailman-2.1.13.oden/Mailman/HTMLFormatter.py 2010-10-01 13:34:43.216731278 +0200 @@ -383,8 +383,9 @@ class HTMLFormatter: '<mm-mailman-footer>' : self.GetMailmanFooter(), '<mm-list-name>' : self.real_name, '<mm-email-user>' : self._internal_name, - '<mm-list-description>' : self.description, - '<mm-list-info>' : BR.join(self.info.split(NL)), + '<mm-list-description>' : Utils.websafe(self.description), + '<mm-list-info>' : + '<!---->' + BR.join(self.info.split(NL)) + '<!---->', '<mm-form-end>' : self.FormatFormEnd(), '<mm-archive>' : self.FormatArchiveAnchor(), '</mm-archive>' : '</a>', diff -Naurp mailman-2.1.13/Mailman/Utils.py mailman-2.1.13.oden/Mailman/Utils.py --- mailman-2.1.13/Mailman/Utils.py 2009-12-22 19:00:43.000000000 +0100 +++ mailman-2.1.13.oden/Mailman/Utils.py 2010-10-01 13:35:16.302743970 +0200 @@ -911,6 +911,7 @@ _badwords = [ # Kludge to allow the specific tag that's in the options.html template. '<link(?! rel="SHORTCUT ICON" href="<mm-favicon>">)', '<meta', + '<object', '<script', r'(?:^|\W)j(?:ava)?script(?:\W|$)', r'(?:^|\W)vbs(?:cript)?(?:\W|$)',