Re: Potential bug with image handling in MH 2.6.0?

2003-03-05 12:41:34
The problem is subtle and it appears to be an inconsistency with
mail composer software (I guess Outlook Express in this case) and
not with MHonArc.  Let's look at the IMG tag again:

  <IMG style="WIDTH: 213px; HEIGHT: 279px" height=827 alt=""
  -------------------^^^------------^^^   --------^^^
       hspace=0 src="cid:002701c23ee6$1fe5cfb0$0100007f@your9hpe8b9zly"
       width=266 align=baseline border=0>

I decode the quoted-printable text so it is more reabable.  Take
a look at the width/height settings in the style attribute vs the
width/height attribute values.  They are different.  By default, MHonArc
strips out style attributes for security reasons (to prevent XSS
exploits).  Therefore, it just leaves the width and height attributes,

In MHonArc 2.4, the style attribute was probably not stripped by
default, but later versions do strip it to avoid XSS exploits.

Take extreme caution if you are considering allowing scripting markup
in your archives.  To work-around the problem and to not open up
you archives to XSS vulnerabilities, some custom coding would need
to be done.

Yep, I can see the inconsistency.  The problem is the user end really.  I am
trying to create a nice system so that users can email updates to their
"diary" page from their email program - most of them use Outlook Express
(their choice), and the picture appears correctly in Outlook (even though
the HTML is actually screwy).

I really need to think about how to let them keep the functionality, because
to a large extent they don't/needn't care about Outlook bugs...  I wonder if
most browsers would display this correctly if I completely removed the
erroneous "height" tag and just left the width tag?

Also, apologies for my ignorance, but what sort of XSS vulnerabilities do I
expose myself to if there is a password protected update mechanism.  Is the
risk that a particular user could upload something nasty for when another
user views it?

Also, is it easy for me to modify the code to allow limited style tags to be
available?  Can you point me to the relevant lines please?  (Perhaps I could
use a regexp to allow only style tags with height and width attributes?)

Thanks again


To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the

<Prev in Thread] Current Thread [Next in Thread>