On December 29, 2002 at 00:21, Gunnar Hjalmarsson wrote:
Content-Type: multipart/mixed; boundary="XXXXX"
The final HTML message page will contain the following:
I.e. An auto-loaded URL got by the filtering.
I tested the above, and it got by the filtering also with the original
code. Would suggest that you take a closer look at it.
Can you provide your test case? The above did get filtered from my
tests. Of course, if allownoncidurls is in effect, the above
will pass through.
I am reluctant to loosen up the filtering code at this time due to
XSS issues since I am not confident that any kind of loosening cannot
Okay, I respect that, and I admit that the example I posted in the bug
isn't very common... I'll refrain from further suggestions for a while. ;-)
Suggestions are always good along with others examining the code.
The limitation you cite has been brought up before by a different user
a long time ago. Since the best solution would require real HTML
parsing, dealing with the limitation has been a back burner item.
It is a limitation that I would like to address at sometime since
valid content data can be "magically" deleted. For example, say you
included some sample code in your message that includes strings like
the text will be removed since the filtering does not descriminate
what is and is not in a tag. The example you provided, "action=",
is more complex since it requires knowing context within a tag:
an attribute name vs an attribute value.
Due to the inherent security problems with HTML in email, keeping
the limitation around may encourage users to exclude HTML mail from
their archives :-)
The limitation is probably worth noting in the documentation.
P.S. If people want fonts and all that jazz in their messages, the
text/enriched media-type has existed for a long time, and it does
not introduce the security problems that text/html does.
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV