--- a/Mailman/Cgi/options.py	2017-06-08 02:51:02 +0000
+++ b/Mailman/Cgi/options.py	2018-02-03 23:21:16 +0000
@@ -200,20 +200,6 @@
     doc.set_language(userlang)
     i18n.set_language(userlang)
 
-    # See if this is VARHELP on topics.
-    varhelp = None
-    if cgidata.has_key('VARHELP'):
-        varhelp = cgidata['VARHELP'].value
-    elif os.environ.get('QUERY_STRING'):
-        # POST methods, even if their actions have a query string, don't get
-        # put into FieldStorage's keys :-(
-        qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
-        if qs and type(qs) == types.ListType:
-            varhelp = qs[0]
-    if varhelp:
-        topic_details(mlist, doc, user, cpuser, userlang, varhelp)
-        return
-
     # Are we processing an unsubscription request from the login screen?
     msgc = _('If you are a list member, a confirmation email has been sent.')
     msga = _("""If you are a list member, your unsubscription request has been
@@ -340,6 +326,22 @@
         print doc.Format()
         return
 
+    # See if this is VARHELP on topics.
+    varhelp = None
+    if cgidata.has_key('VARHELP'):
+        varhelp = cgidata['VARHELP'].value
+    elif os.environ.get('QUERY_STRING'):
+        # POST methods, even if their actions have a query string, don't get
+        # put into FieldStorage's keys :-(
+        qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
+        if qs and type(qs) == types.ListType:
+            varhelp = qs[0]
+    if varhelp:
+        # Sanitize the topic name.
+        varhelp = re.sub('<.*', '', varhelp)
+        topic_details(mlist, doc, user, cpuser, userlang, varhelp)
+        return
+
     if cgidata.has_key('logout'):
         print mlist.ZapCookie(mm_cfg.AuthUser, user)
         loginpage(mlist, doc, user, language)