Update of /cvsroot/mhonarc/mhonarc/MHonArc
In directory subversions:/tmp/cvs-serv14330
* Added subdir option to mhtxtplain.pl and mhtxthtml.pl filters since
the filters can create derived files.
* Updated creation of "subdir" directory to be resistent to symlink
* <a href>'s preserved by HTML filter, even if onlu cid: URLs allowed.
This prevents regular hyperlinks from becoming stripped and enticing
users to use allownoncidurls to work around this (which then opens
<a href>'s should be safe.
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/CHANGES,v
retrieving revision 1.86
retrieving revision 1.87
diff -C2 -r1.86 -r1.87
*** CHANGES 20 Nov 2002 23:53:07 -0000 1.86
--- CHANGES 23 Nov 2002 04:10:40 -0000 1.87
*** 43,46 ****
--- 43,50 ----
* m2h_text_plain::filter (mhtxtplain.pl):
+ is disabled (the default). This is an extra measure ontop of
+ element and attribute stripping.
+ Added more robust handling of format=flowed data. By default,
all text is rendered in a monospaced font to provide visual
*** 61,64 ****
--- 65,75 ----
+ + Added "subdir" option for use when "uudecode" is enabled.
+ - Reduced set of quote characters to just '>'. Other characters
+ are used by some people (eg. '}', '|', '+'), especially on the
+ USENET, but supporting them tends to produce undesirable
+ results, especially when using fancyquote.
. Flowed conversion fallback error handling improved so data is
not lost. However, the fallack code should never be reached.
*** 74,77 ****
--- 85,101 ----
* m2h_text_html::filter (mhtxthtml.pl):
+ . <a href>'s are now preserved when cid: only URLs enabled (the
+ default). This prevents regular hyperlinks in HTML messages from
+ getting stripped, which I think most people desire. Otherwise,
+ the allownoncidurls option must be used, and then this opens one
+ up to potential XSS attacks.
+ be safe from auto-XSS attacks. Readers should still be careful
+ about any links they activate.
+ . Added "subdir" option to specify that MHTML referenced data
+ (e.g. images) are saved in a subdirectory.
. STYLE and CLASS attributes stripped if nofont argument specified.
*** 87,90 ****
--- 111,117 ----
is immune to symlink exploits, hence trying to using well-known names
(e.g. maillist.html, threads.html) for exploitation will not work.
+ A similiar technique is used for directory creation for filters
+ that support the "subdir" option.
Generation of temp files is done via the File::Temp module, if
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV