diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py
index abbf570..27bd0db 100644
--- a/Mailman/Cgi/listinfo.py
+++ b/Mailman/Cgi/listinfo.py
@@ -93,7 +93,7 @@ def listinfo_overview(msg=''):
else:
advertised.append((mlist.GetScriptURL('listinfo'),
mlist.real_name,
- mlist.description))
+ Utils.websafe(mlist.description)))
if msg:
greeting = FontAttr(msg, color="ff5060", size="+1")
else:
diff --git a/Mailman/HTMLFormatter.py b/Mailman/HTMLFormatter.py
index 3a21d96..dad51e7 100644
--- a/Mailman/HTMLFormatter.py
+++ b/Mailman/HTMLFormatter.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2008 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2010 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -383,8 +383,9 @@ class HTMLFormatter:
'<mm-mailman-footer>' : self.GetMailmanFooter(),
'<mm-list-name>' : self.real_name,
'<mm-email-user>' : self._internal_name,
- '<mm-list-description>' : self.description,
- '<mm-list-info>' : BR.join(self.info.split(NL)),
+ '<mm-list-description>' : Utils.websafe(self.description),
+ '<mm-list-info>' :
+ '<!---->' + BR.join(self.info.split(NL)) + '<!---->',
'<mm-form-end>' : self.FormatFormEnd(),
'<mm-archive>' : self.FormatArchiveAnchor(),
'</mm-archive>' : '</a>',
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 847d1a8..ca2a275 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2009 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2010 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -908,6 +908,7 @@ _badwords = [
# Kludge to allow the specific tag that's in the options.html template.
'<link(?! rel="SHORTCUT ICON" href="<mm-favicon>">)',
'<meta',
+ '<object',
'<script',
r'(?:^|\W)j(?:ava)?script(?:\W|$)',
r'(?:^|\W)vbs(?:cript)?(?:\W|$)',