mailman/contribs8/mailman-2.1.9-CVE-2008-0564.patch

=== modified file 'Mailman/Cgi/edithtml.py'
--- Mailman/Cgi/edithtml.py     2006-08-30 14:54:22 +0000
+++ Mailman/Cgi/edithtml.py     2007-12-04 19:52:18 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2006 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2007 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -159,7 +159,20 @@
         doc.AddItem('<hr>')
         return
     code = cgi_info['html_code'].value
-    code = re.sub(r'<([/]?script.*?)>', r'&lt;\1&gt;', code)
+    if Utils.suspiciousHTML(code):
+        doc.AddItem(Header(3,
+           _("""The page you saved contains suspicious HTML that could
+potentially expose your users to cross-site scripting attacks.  This change
+has therefore been rejected.  If you still want to make these changes, you
+must have shell access to your Mailman server.
+             """)))
+        doc.AddItem(_('See '))
+        doc.AddItem(Link(
+'http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq04.048.htp',
+                _('FAQ 4.48.')))
+        doc.AddItem(Header(3,_("Page Unchanged.")))
+        doc.AddItem('<hr>')
+        return
     langdir = os.path.join(mlist.fullpath(), mlist.preferred_language)
     # Make sure the directory exists
     omask = os.umask(0)

=== modified file 'Mailman/Gui/General.py'
--- Mailman/Gui/General.py      2006-08-30 14:54:22 +0000
+++ Mailman/Gui/General.py      2007-12-04 19:52:18 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2001-2006 by the Free Software Foundation, Inc.
+# Copyright (C) 2001-2007 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -436,17 +442,21 @@
             # Convert any html entities to Unicode
             mlist.subject_prefix = Utils.canonstr(
                 val, mlist.preferred_language)
+        elif property == 'info':
+            if val <> mlist.info:
+                if Utils.suspiciousHTML(val):
+                    doc.addError(_("""The <b>info</b> attribute you saved
+contains suspicious HTML that could potentially expose your users to cross-site
+scripting attacks.  This change has therefore been rejected.  If you still want
+to make these changes, you must have shell access to your Mailman server.
+This change can be made with bin/withlist or with bin/config_list by setting
+mlist.info.
+                        """))
+                else:
+                    mlist.info = val
         else:
             GUIBase._setValue(self, mlist, property, val, doc)
 
-    def _escape(self, property, value):
-        # The 'info' property allows HTML, but let's sanitize it to avoid XSS
-        # exploits.  Everything else should be fully escaped.
-        if property <> 'info':
-            return GUIBase._escape(self, property, value)
-        # Sanitize <script> and </script> tags but nothing else.  Not the best
-        # solution, but expedient.
-        return re.sub(r'(?i)<([/]?script.*?)>', r'&lt;\1&gt;', value)
 
     def _postValidate(self, mlist, doc):
         if not mlist.reply_to_address.strip() and \

=== modified file 'Mailman/Gui/GUIBase.py'
--- Mailman/Gui/GUIBase.py      2005-08-27 01:40:17 +0000
+++ Mailman/Gui/GUIBase.py      2007-11-18 20:01:26 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2002-2004 by the Free Software Foundation, Inc.
+# Copyright (C) 2002-2007 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -12,7 +12,8 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
+# USA.
 
 """Base class for all web GUI components."""
 
@@ -122,10 +127,6 @@
         # Validate all the attributes for this category
         pass
 
-    def _escape(self, property, value):
-        value = value.replace('<', '&lt;')
-        return value
-
     def handleForm(self, mlist, category, subcat, cgidata, doc):
         for item in self.GetConfigInfo(mlist, category, subcat):
             # Skip descriptions and legacy non-attributes
@@ -144,10 +145,9 @@
             elif not cgidata.has_key(property):
                 continue
             elif isinstance(cgidata[property], ListType):
-                val = [self._escape(property, x.value)
-                       for x in cgidata[property]]
+                val = [x.value for x in cgidata[property]]
             else:
-                val = self._escape(property, cgidata[property].value)
+                val = cgidata[property].value
             # Coerce the value to the expected type, raising exceptions if the
             # value is invalid.
             try:

=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py    2007-11-25 08:04:30 +0000
+++ Mailman/Utils.py    2007-12-04 19:52:18 +0000
@@ -876,3 +876,154 @@
     except (LookupError, UnicodeError, ValueError, HeaderParseError):
         # possibly charset problem. return with undecoded string in one line.
         return EMPTYSTRING.join(s.splitlines())
+
+
+# Patterns and functions to flag possible XSS attacks in HTML.
+# This list is compiled from information at http://ha.ckers.org/xss.html,
+# http://www.quirksmode.org/js/events_compinfo.html,
+# http://www.htmlref.com/reference/appa/events1.htm,
+# http://lxr.mozilla.org/mozilla/source/content/events/src/nsDOMEvent.cpp#59,
+# http://www.w3.org/TR/DOM-Level-2-Events/events.html and
+# http://www.xulplanet.com/references/elemref/ref_EventHandlers.html
+# Many thanks are due to Moritz Naumann for his assistance with this.
+_badwords = [
+    '<i?frame',
+    '<link',
+    '<meta',
+    '<script',
+    r'(?:^|\W)j(?:ava)?script(?:\W|$)',
+    r'(?:^|\W)vbs(?:cript)?(?:\W|$)',
+    r'(?:^|\W)domactivate(?:\W|$)',
+    r'(?:^|\W)domattrmodified(?:\W|$)',
+    r'(?:^|\W)domcharacterdatamodified(?:\W|$)',
+    r'(?:^|\W)domfocus(?:in|out)(?:\W|$)',
+    r'(?:^|\W)dommenuitem(?:in)?active(?:\W|$)',
+    r'(?:^|\W)dommousescroll(?:\W|$)',
+    r'(?:^|\W)domnodeinserted(?:intodocument)?(?:\W|$)',
+    r'(?:^|\W)domnoderemoved(?:fromdocument)?(?:\W|$)',
+    r'(?:^|\W)domsubtreemodified(?:\W|$)',
+    r'(?:^|\W)fscommand(?:\W|$)',
+    r'(?:^|\W)onabort(?:\W|$)',
+    r'(?:^|\W)on(?:de)?activate(?:\W|$)',
+    r'(?:^|\W)on(?:after|before)print(?:\W|$)',
+    r'(?:^|\W)on(?:after|before)update(?:\W|$)',
+    r'(?:^|\W)onbefore(?:(?:de)?activate|copy|cut|editfocus|paste)(?:\W|$)',
+    r'(?:^|\W)onbeforeunload(?:\W|$)',
+    r'(?:^|\W)onbegin(?:\W|$)',
+    r'(?:^|\W)onblur(?:\W|$)',
+    r'(?:^|\W)onbounce(?:\W|$)',
+    r'(?:^|\W)onbroadcast(?:\W|$)',
+    r'(?:^|\W)on(?:cell)?change(?:\W|$)',
+    r'(?:^|\W)oncheckboxstatechange(?:\W|$)',
+    r'(?:^|\W)on(?:dbl)?click(?:\W|$)',
+    r'(?:^|\W)onclose(?:\W|$)',
+    r'(?:^|\W)oncommand(?:update)?(?:\W|$)',
+    r'(?:^|\W)oncomposition(?:end|start)(?:\W|$)',
+    r'(?:^|\W)oncontextmenu(?:\W|$)',
+    r'(?:^|\W)oncontrolselect(?:\W|$)',
+    r'(?:^|\W)oncopy(?:\W|$)',
+    r'(?:^|\W)oncut(?:\W|$)',
+    r'(?:^|\W)ondataavailable(?:\W|$)',
+    r'(?:^|\W)ondataset(?:changed|complete)(?:\W|$)',
+    r'(?:^|\W)ondrag(?:drop|end|enter|exit|gesture|leave|over)?(?:\W|$)',
+    r'(?:^|\W)ondragstart(?:\W|$)',
+    r'(?:^|\W)ondrop(?:\W|$)',
+    r'(?:^|\W)onend(?:\W|$)',
+    r'(?:^|\W)onerror(?:update)?(?:\W|$)',
+    r'(?:^|\W)onfilterchange(?:\W|$)',
+    r'(?:^|\W)onfinish(?:\W|$)',
+    r'(?:^|\W)onfocus(?:in|out)?(?:\W|$)',
+    r'(?:^|\W)onhelp(?:\W|$)',
+    r'(?:^|\W)oninput(?:\W|$)',
+    r'(?:^|\W)onkey(?:up|down|press)(?:\W|$)',
+    r'(?:^|\W)onlayoutcomplete(?:\W|$)',
+    r'(?:^|\W)on(?:un)?load(?:\W|$)',
+    r'(?:^|\W)onlosecapture(?:\W|$)',
+    r'(?:^|\W)onmedia(?:complete|error)(?:\W|$)',
+    r'(?:^|\W)onmouse(?:down|enter|leave|move|out|over|up|wheel)(?:\W|$)',
+    r'(?:^|\W)onmove(?:end|start)?(?:\W|$)',
+    r'(?:^|\W)on(?:off|on)line(?:\W|$)',
+    r'(?:^|\W)onoutofsync(?:\W|$)',
+    r'(?:^|\W)onoverflow(?:changed)?(?:\W|$)',
+    r'(?:^|\W)onpage(?:hide|show)(?:\W|$)',
+    r'(?:^|\W)onpaint(?:\W|$)',
+    r'(?:^|\W)onpaste(?:\W|$)',
+    r'(?:^|\W)onpause(?:\W|$)',
+    r'(?:^|\W)onpopup(?:hidden|hiding|showing|shown)(?:\W|$)',
+    r'(?:^|\W)onprogress(?:\W|$)',
+    r'(?:^|\W)onpropertychange(?:\W|$)',
+    r'(?:^|\W)onradiostatechange(?:\W|$)',
+    r'(?:^|\W)onreadystatechange(?:\W|$)',
+    r'(?:^|\W)onrepeat(?:\W|$)',
+    r'(?:^|\W)onreset(?:\W|$)',
+    r'(?:^|\W)onresize(?:end|start)?(?:\W|$)',
+    r'(?:^|\W)onresume(?:\W|$)',
+    r'(?:^|\W)onreverse(?:\W|$)',
+    r'(?:^|\W)onrow(?:delete|enter|exit|inserted)(?:\W|$)',
+    r'(?:^|\W)onrows(?:delete|enter|inserted)(?:\W|$)',
+    r'(?:^|\W)onscroll(?:\W|$)',
+    r'(?:^|\W)onseek(?:\W|$)',
+    r'(?:^|\W)onselect(?:start)?(?:\W|$)',
+    r'(?:^|\W)onselectionchange(?:\W|$)',
+    r'(?:^|\W)onstart(?:\W|$)',
+    r'(?:^|\W)onstop(?:\W|$)',
+    r'(?:^|\W)onsubmit(?:\W|$)',
+    r'(?:^|\W)onsync(?:from|to)preference(?:\W|$)',
+    r'(?:^|\W)onsyncrestored(?:\W|$)',
+    r'(?:^|\W)ontext(?:\W|$)',
+    r'(?:^|\W)ontimeerror(?:\W|$)',
+    r'(?:^|\W)ontrackchange(?:\W|$)',
+    r'(?:^|\W)onunderflow(?:\W|$)',
+    r'(?:^|\W)onurlflip(?:\W|$)',
+    r'(?:^|\W)seeksegmenttime(?:\W|$)',
+    r'(?:^|\W)svgabort(?:\W|$)',
+    r'(?:^|\W)svgerror(?:\W|$)',
+    r'(?:^|\W)svgload(?:\W|$)',
+    r'(?:^|\W)svgresize(?:\W|$)',
+    r'(?:^|\W)svgscroll(?:\W|$)',
+    r'(?:^|\W)svgunload(?:\W|$)',
+    r'(?:^|\W)svgzoom(?:\W|$)',
+    ]
+
+
+# This is the actual re to look for the above patterns
+_badhtml = re.compile('|'.join(_badwords), re.IGNORECASE)
+# This is used to filter non-printable us-ascii characters, some of which
+# can be used to break words to avoid recognition.
+_filterchars = re.compile('[\000-\011\013\014\016-\037\177-\237]')
+# This is used to recognize '&#' and '%xx' strings for _translate which
+# translates them to characters
+_encodedchars = re.compile('(&#[0-9]+;?)|(&#x[0-9a-f]+;?)|(%[0-9a-f]{2})',
+                           re.IGNORECASE)
+
+
+def _translate(mo):
+    """Translate &#... and %xx encodings into the encoded character."""
+    match = mo.group().lower().strip('&#;')
+    try:
+        if match.startswith('x') or match.startswith('%'):
+            val = int(match[1:], 16)
+        else:
+            val = int(match, 10)
+    except ValueError:
+        return ''
+    if val < 256:
+        return chr(val)
+    else:
+        return ''
+
+
+def suspiciousHTML(html):
+    """Check HTML string for various tags, script language names and
+    'onxxx' actions that can be used in XSS attacks.
+    Currently, this a very simple minded test.  It just looks for
+    patterns without analyzing context.  Thus, it potentially flags lots
+    of benign stuff.
+    Returns True if anything suspicious found, False otherwise.
+    """
+
+    if _badhtml.search(_filterchars.sub(
+                       '', _encodedchars.sub(_translate, html))):
+        return True
+    else:
+        return False

1	unnilennium	1.1	=== modified file 'Mailman/Cgi/edithtml.py'
2			--- Mailman/Cgi/edithtml.py 2006-08-30 14:54:22 +0000
3			+++ Mailman/Cgi/edithtml.py 2007-12-04 19:52:18 +0000
4			@@ -1,4 +1,4 @@
5			-# Copyright (C) 1998-2006 by the Free Software Foundation, Inc.
6			+# Copyright (C) 1998-2007 by the Free Software Foundation, Inc.
7			#
8			# This program is free software; you can redistribute it and/or
9			# modify it under the terms of the GNU General Public License
10			@@ -159,7 +159,20 @@
11			doc.AddItem('<hr>')
12			return
13			code = cgi_info['html_code'].value
14			- code = re.sub(r'<([/]?script.*?)>', r'<\1>', code)
15			+ if Utils.suspiciousHTML(code):
16			+ doc.AddItem(Header(3,
17			+ _("""The page you saved contains suspicious HTML that could
18			+potentially expose your users to cross-site scripting attacks. This change
19			+has therefore been rejected. If you still want to make these changes, you
20			+must have shell access to your Mailman server.
21			+ """)))
22			+ doc.AddItem(_('See '))
23			+ doc.AddItem(Link(
24			+'http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq04.048.htp',
25			+ _('FAQ 4.48.')))
26			+ doc.AddItem(Header(3,_("Page Unchanged.")))
27			+ doc.AddItem('<hr>')
28			+ return
29			langdir = os.path.join(mlist.fullpath(), mlist.preferred_language)
30			# Make sure the directory exists
31			omask = os.umask(0)
32
33			=== modified file 'Mailman/Gui/General.py'
34			--- Mailman/Gui/General.py 2006-08-30 14:54:22 +0000
35			+++ Mailman/Gui/General.py 2007-12-04 19:52:18 +0000
36			@@ -1,4 +1,4 @@
37			-# Copyright (C) 2001-2006 by the Free Software Foundation, Inc.
38			+# Copyright (C) 2001-2007 by the Free Software Foundation, Inc.
39			#
40			# This program is free software; you can redistribute it and/or
41			# modify it under the terms of the GNU General Public License
42			@@ -436,17 +442,21 @@
43			# Convert any html entities to Unicode
44			mlist.subject_prefix = Utils.canonstr(
45			val, mlist.preferred_language)
46			+ elif property == 'info':
47			+ if val <> mlist.info:
48			+ if Utils.suspiciousHTML(val):
49			+ doc.addError(_("""The <b>info</b> attribute you saved
50			+contains suspicious HTML that could potentially expose your users to cross-site
51			+scripting attacks. This change has therefore been rejected. If you still want
52			+to make these changes, you must have shell access to your Mailman server.
53			+This change can be made with bin/withlist or with bin/config_list by setting
54			+mlist.info.
55			+ """))
56			+ else:
57			+ mlist.info = val
58			else:
59			GUIBase._setValue(self, mlist, property, val, doc)
60
61			- def _escape(self, property, value):
62			- # The 'info' property allows HTML, but let's sanitize it to avoid XSS
63			- # exploits. Everything else should be fully escaped.
64			- if property <> 'info':
65			- return GUIBase._escape(self, property, value)
66			- # Sanitize <script> and </script> tags but nothing else. Not the best
67			- # solution, but expedient.
68			- return re.sub(r'(?i)<([/]?script.*?)>', r'<\1>', value)
69
70			def _postValidate(self, mlist, doc):
71			if not mlist.reply_to_address.strip() and \
72
73			=== modified file 'Mailman/Gui/GUIBase.py'
74			--- Mailman/Gui/GUIBase.py 2005-08-27 01:40:17 +0000
75			+++ Mailman/Gui/GUIBase.py 2007-11-18 20:01:26 +0000
76			@@ -1,4 +1,4 @@
77			-# Copyright (C) 2002-2004 by the Free Software Foundation, Inc.
78			+# Copyright (C) 2002-2007 by the Free Software Foundation, Inc.
79			#
80			# This program is free software; you can redistribute it and/or
81			# modify it under the terms of the GNU General Public License
82			@@ -12,7 +12,8 @@
83			#
84			# You should have received a copy of the GNU General Public License
85			# along with this program; if not, write to the Free Software
86			-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
87			+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
88			+# USA.
89
90			"""Base class for all web GUI components."""
91
92			@@ -122,10 +127,6 @@
93			# Validate all the attributes for this category
94			pass
95
96			- def _escape(self, property, value):
97			- value = value.replace('<', '<')
98			- return value
99			-
100			def handleForm(self, mlist, category, subcat, cgidata, doc):
101			for item in self.GetConfigInfo(mlist, category, subcat):
102			# Skip descriptions and legacy non-attributes
103			@@ -144,10 +145,9 @@
104			elif not cgidata.has_key(property):
105			continue
106			elif isinstance(cgidata[property], ListType):
107			- val = [self._escape(property, x.value)
108			- for x in cgidata[property]]
109			+ val = [x.value for x in cgidata[property]]
110			else:
111			- val = self._escape(property, cgidata[property].value)
112			+ val = cgidata[property].value
113			# Coerce the value to the expected type, raising exceptions if the
114			# value is invalid.
115			try:
116
117			=== modified file 'Mailman/Utils.py'
118			--- Mailman/Utils.py 2007-11-25 08:04:30 +0000
119			+++ Mailman/Utils.py 2007-12-04 19:52:18 +0000
120			@@ -876,3 +876,154 @@
121			except (LookupError, UnicodeError, ValueError, HeaderParseError):
122			# possibly charset problem. return with undecoded string in one line.
123			return EMPTYSTRING.join(s.splitlines())
124			+
125			+
126			+# Patterns and functions to flag possible XSS attacks in HTML.
127			+# This list is compiled from information at http://ha.ckers.org/xss.html,
128			+# http://www.quirksmode.org/js/events_compinfo.html,
129			+# http://www.htmlref.com/reference/appa/events1.htm,
130			+# http://lxr.mozilla.org/mozilla/source/content/events/src/nsDOMEvent.cpp#59,
131			+# http://www.w3.org/TR/DOM-Level-2-Events/events.html and
132			+# http://www.xulplanet.com/references/elemref/ref_EventHandlers.html
133			+# Many thanks are due to Moritz Naumann for his assistance with this.
134			+_badwords = [
135			+ '<i?frame',
136			+ '<link',
137			+ '<meta',
138			+ '<script',
139			+ r'(?:^\|\W)j(?:ava)?script(?:\W\|$)',
140			+ r'(?:^\|\W)vbs(?:cript)?(?:\W\|$)',
141			+ r'(?:^\|\W)domactivate(?:\W\|$)',
142			+ r'(?:^\|\W)domattrmodified(?:\W\|$)',
143			+ r'(?:^\|\W)domcharacterdatamodified(?:\W\|$)',
144			+ r'(?:^\|\W)domfocus(?:in\|out)(?:\W\|$)',
145			+ r'(?:^\|\W)dommenuitem(?:in)?active(?:\W\|$)',
146			+ r'(?:^\|\W)dommousescroll(?:\W\|$)',
147			+ r'(?:^\|\W)domnodeinserted(?:intodocument)?(?:\W\|$)',
148			+ r'(?:^\|\W)domnoderemoved(?:fromdocument)?(?:\W\|$)',
149			+ r'(?:^\|\W)domsubtreemodified(?:\W\|$)',
150			+ r'(?:^\|\W)fscommand(?:\W\|$)',
151			+ r'(?:^\|\W)onabort(?:\W\|$)',
152			+ r'(?:^\|\W)on(?:de)?activate(?:\W\|$)',
153			+ r'(?:^\|\W)on(?:after\|before)print(?:\W\|$)',
154			+ r'(?:^\|\W)on(?:after\|before)update(?:\W\|$)',
155			+ r'(?:^\|\W)onbefore(?:(?:de)?activate\|copy\|cut\|editfocus\|paste)(?:\W\|$)',
156			+ r'(?:^\|\W)onbeforeunload(?:\W\|$)',
157			+ r'(?:^\|\W)onbegin(?:\W\|$)',
158			+ r'(?:^\|\W)onblur(?:\W\|$)',
159			+ r'(?:^\|\W)onbounce(?:\W\|$)',
160			+ r'(?:^\|\W)onbroadcast(?:\W\|$)',
161			+ r'(?:^\|\W)on(?:cell)?change(?:\W\|$)',
162			+ r'(?:^\|\W)oncheckboxstatechange(?:\W\|$)',
163			+ r'(?:^\|\W)on(?:dbl)?click(?:\W\|$)',
164			+ r'(?:^\|\W)onclose(?:\W\|$)',
165			+ r'(?:^\|\W)oncommand(?:update)?(?:\W\|$)',
166			+ r'(?:^\|\W)oncomposition(?:end\|start)(?:\W\|$)',
167			+ r'(?:^\|\W)oncontextmenu(?:\W\|$)',
168			+ r'(?:^\|\W)oncontrolselect(?:\W\|$)',
169			+ r'(?:^\|\W)oncopy(?:\W\|$)',
170			+ r'(?:^\|\W)oncut(?:\W\|$)',
171			+ r'(?:^\|\W)ondataavailable(?:\W\|$)',
172			+ r'(?:^\|\W)ondataset(?:changed\|complete)(?:\W\|$)',
173			+ r'(?:^\|\W)ondrag(?:drop\|end\|enter\|exit\|gesture\|leave\|over)?(?:\W\|$)',
174			+ r'(?:^\|\W)ondragstart(?:\W\|$)',
175			+ r'(?:^\|\W)ondrop(?:\W\|$)',
176			+ r'(?:^\|\W)onend(?:\W\|$)',
177			+ r'(?:^\|\W)onerror(?:update)?(?:\W\|$)',
178			+ r'(?:^\|\W)onfilterchange(?:\W\|$)',
179			+ r'(?:^\|\W)onfinish(?:\W\|$)',
180			+ r'(?:^\|\W)onfocus(?:in\|out)?(?:\W\|$)',
181			+ r'(?:^\|\W)onhelp(?:\W\|$)',
182			+ r'(?:^\|\W)oninput(?:\W\|$)',
183			+ r'(?:^\|\W)onkey(?:up\|down\|press)(?:\W\|$)',
184			+ r'(?:^\|\W)onlayoutcomplete(?:\W\|$)',
185			+ r'(?:^\|\W)on(?:un)?load(?:\W\|$)',
186			+ r'(?:^\|\W)onlosecapture(?:\W\|$)',
187			+ r'(?:^\|\W)onmedia(?:complete\|error)(?:\W\|$)',
188			+ r'(?:^\|\W)onmouse(?:down\|enter\|leave\|move\|out\|over\|up\|wheel)(?:\W\|$)',
189			+ r'(?:^\|\W)onmove(?:end\|start)?(?:\W\|$)',
190			+ r'(?:^\|\W)on(?:off\|on)line(?:\W\|$)',
191			+ r'(?:^\|\W)onoutofsync(?:\W\|$)',
192			+ r'(?:^\|\W)onoverflow(?:changed)?(?:\W\|$)',
193			+ r'(?:^\|\W)onpage(?:hide\|show)(?:\W\|$)',
194			+ r'(?:^\|\W)onpaint(?:\W\|$)',
195			+ r'(?:^\|\W)onpaste(?:\W\|$)',
196			+ r'(?:^\|\W)onpause(?:\W\|$)',
197			+ r'(?:^\|\W)onpopup(?:hidden\|hiding\|showing\|shown)(?:\W\|$)',
198			+ r'(?:^\|\W)onprogress(?:\W\|$)',
199			+ r'(?:^\|\W)onpropertychange(?:\W\|$)',
200			+ r'(?:^\|\W)onradiostatechange(?:\W\|$)',
201			+ r'(?:^\|\W)onreadystatechange(?:\W\|$)',
202			+ r'(?:^\|\W)onrepeat(?:\W\|$)',
203			+ r'(?:^\|\W)onreset(?:\W\|$)',
204			+ r'(?:^\|\W)onresize(?:end\|start)?(?:\W\|$)',
205			+ r'(?:^\|\W)onresume(?:\W\|$)',
206			+ r'(?:^\|\W)onreverse(?:\W\|$)',
207			+ r'(?:^\|\W)onrow(?:delete\|enter\|exit\|inserted)(?:\W\|$)',
208			+ r'(?:^\|\W)onrows(?:delete\|enter\|inserted)(?:\W\|$)',
209			+ r'(?:^\|\W)onscroll(?:\W\|$)',
210			+ r'(?:^\|\W)onseek(?:\W\|$)',
211			+ r'(?:^\|\W)onselect(?:start)?(?:\W\|$)',
212			+ r'(?:^\|\W)onselectionchange(?:\W\|$)',
213			+ r'(?:^\|\W)onstart(?:\W\|$)',
214			+ r'(?:^\|\W)onstop(?:\W\|$)',
215			+ r'(?:^\|\W)onsubmit(?:\W\|$)',
216			+ r'(?:^\|\W)onsync(?:from\|to)preference(?:\W\|$)',
217			+ r'(?:^\|\W)onsyncrestored(?:\W\|$)',
218			+ r'(?:^\|\W)ontext(?:\W\|$)',
219			+ r'(?:^\|\W)ontimeerror(?:\W\|$)',
220			+ r'(?:^\|\W)ontrackchange(?:\W\|$)',
221			+ r'(?:^\|\W)onunderflow(?:\W\|$)',
222			+ r'(?:^\|\W)onurlflip(?:\W\|$)',
223			+ r'(?:^\|\W)seeksegmenttime(?:\W\|$)',
224			+ r'(?:^\|\W)svgabort(?:\W\|$)',
225			+ r'(?:^\|\W)svgerror(?:\W\|$)',
226			+ r'(?:^\|\W)svgload(?:\W\|$)',
227			+ r'(?:^\|\W)svgresize(?:\W\|$)',
228			+ r'(?:^\|\W)svgscroll(?:\W\|$)',
229			+ r'(?:^\|\W)svgunload(?:\W\|$)',
230			+ r'(?:^\|\W)svgzoom(?:\W\|$)',
231			+ ]
232			+
233			+
234			+# This is the actual re to look for the above patterns
235			+_badhtml = re.compile('\|'.join(_badwords), re.IGNORECASE)
236			+# This is used to filter non-printable us-ascii characters, some of which
237			+# can be used to break words to avoid recognition.
238			+_filterchars = re.compile('[\000-\011\013\014\016-\037\177-\237]')
239			+# This is used to recognize '&#' and '%xx' strings for _translate which
240			+# translates them to characters
241			+_encodedchars = re.compile('(&#[0-9]+;?)\|(&#x[0-9a-f]+;?)\|(%[0-9a-f]{2})',
242			+ re.IGNORECASE)
243			+
244			+
245			+def _translate(mo):
246			+ """Translate &#... and %xx encodings into the encoded character."""
247			+ match = mo.group().lower().strip('&#;')
248			+ try:
249			+ if match.startswith('x') or match.startswith('%'):
250			+ val = int(match[1:], 16)
251			+ else:
252			+ val = int(match, 10)
253			+ except ValueError:
254			+ return ''
255			+ if val < 256:
256			+ return chr(val)
257			+ else:
258			+ return ''
259			+
260			+
261			+def suspiciousHTML(html):
262			+ """Check HTML string for various tags, script language names and
263			+ 'onxxx' actions that can be used in XSS attacks.
264			+ Currently, this a very simple minded test. It just looks for
265			+ patterns without analyzing context. Thus, it potentially flags lots
266			+ of benign stuff.
267			+ Returns True if anything suspicious found, False otherwise.
268			+ """
269			+
270			+ if _badhtml.search(_filterchars.sub(
271			+ '', _encodedchars.sub(_translate, html))):
272			+ return True
273			+ else:
274			+ return False
275