Text/html -> text/plain cleverness

I note that 2.1.76 now has the variable $TrustHTMLAttachments defined in
the config file. I discovered it independantly since it saved me having
to port one of my local modifications.

However the modification I made translates message/rfc822 type attachments
as well.

Is there scope for a changing this from a boolean variable to a list of
mime types to transform?

Thanks.

John

So, the reason that change is there is to stop a cross-site scripting
attack. What advantages do you have displaying a message/rfc822 as
text/plain?On Fri, Feb 28, 2003 at 12:55:58PM +0000, J. Sloan wrote:

I note that 2.1.76 now has the variable $TrustHTMLAttachments defined in
the config file. I discovered it independantly since it saved me having
to port one of my local modifications.

However the modification I made translates message/rfc822 type attachments
as well.

Is there scope for a changing this from a boolean variable to a list of
mime types to transform?

Thanks.

John


rt-devel mailing list
rt-devel@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-devel

http://www.bestpractical.com/rt – Trouble Ticketing. Free.

So, the reason that change is there is to stop a cross-site scripting
attack. What advantages do you have displaying a message/rfc822 as
text/plain?

The same - a message/rfc822 message with text/html attachments bypasses
the simple text/html check and displays as html (in mozilla certainly).

We have a queue for people to forward us spam (to aid filter tweaking) in
which we see quite a few of these.

John

So, the reason that change is there is to stop a cross-site scripting
attack. What advantages do you have displaying a message/rfc822 as
text/plain?

The same - a message/rfc822 message with text/html attachments bypasses
the simple text/html check and displays as html (in mozilla certainly).

Ah. I wasn’t aware of the mozilla behaviour… though, actually, RT3
should be recursing and ripping those attachments out to seperate
attachments in the database.

We have a queue for people to forward us spam (to aid filter tweaking) in
which we see quite a few of these.

John

http://www.bestpractical.com/rt – Trouble Ticketing. Free.