Re: Potential bug with image handling in MH 2.6.0?

2003-03-05 16:19:42
On March 5, 2003 at 18:41, "Edward Wildgoose" wrote:

I really need to think about how to let them keep the functionality, because
to a large extent they don't/needn't care about Outlook bugs...  I wonder if
most browsers would display this correctly if I completely removed the
erroneous "height" tag and just left the width tag?

Then the image would be displayed with natural height of the image,
probably causing a even larger distortion.

Also, apologies for my ignorance, but what sort of XSS vulnerabilities do I
expose myself to if there is a password protected update mechanism.  Is the
risk that a particular user could upload something nasty for when another
user views it?

Correct.  It all comes to a matter of much you trust the sender of
the message.  Since anyone can view the archived message, a person
could include scripting in an attempt to steal information, like
a cookies from those who view the message.

Also, is it easy for me to modify the code to allow limited style tags to be

Depends on what you want to limit.  Ideally, you want to avoid having
to do full CSS syntax parsing.

Can you point me to the relevant lines please?  (Perhaps I could
use a regexp to allow only style tags with height and width attributes?)



To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the

<Prev in Thread] Current Thread [Next in Thread>