main(): Fixed two buglets. First in the "if sender:" block, the

expansion of d['description'] referenced a local `esender' which, due
to code re-org wasn't defined.  Define esender so as to avoid
cross-site scripting exploit.

Second, it wasn't correct to omit the form and submit button any time
there were ?details=...  Fix this so that each stanza can decide
whether to add the form or not.

1 files changed, 5 insertions, 2 deletions

diff --git a/Mailman/Cgi/admindb.py b/Mailman/Cgi/admindb.py
index 5f50a6da8..3cd572291 100644
--- a/Mailman/Cgi/admindb.py
+++ b/Mailman/Cgi/admindb.py
@@ -191,8 +191,10 @@ def main():
              'adminurl'  : adminurl,
              'filterurl' : adminurl + '/privacy/sender',
              }
+        addform = 1
         if sender:
-            d['description'] = _("all the %(esender)s's held messages.")
+            esender = cgi.escape(sender)
+            d['description'] = _("all of %(esender)s's held messages.")
             doc.AddItem(Utils.maketext('admindbpreamble.html', d,
                                        raw=1, mlist=mlist))
             show_sender_requests(mlist, form, sender)
@@ -209,6 +211,7 @@ def main():
         elif details == 'instructions':
             doc.AddItem(Utils.maketext('admindbdetails.html', d,
                                        raw=1, mlist=mlist))
+            addform = 0
         else:
             # Show a summary of all requests
             doc.AddItem(Utils.maketext('admindbsummary.html', d,
@@ -217,7 +220,7 @@ def main():
             show_pending_unsubs(mlist, form)
             show_helds_overview(mlist, form)
         # Finish up the document, adding buttons to the form
-        if not details:
+        if addform:
             doc.AddItem(form)
             form.AddItem('<hr>')
             form.AddItem(Center(SubmitButton('submit', _('Submit All Data'))))