[imp] changes in html viewing (2.2.4)
Chuck Hagenbuch
chuck@horde.org
Mon, 12 Feb 2001 10:31:18 -0500
Quoting Robert Marchand <robert.marchand@UMontreal.CA>:
> between IMP 2.2.3 and 2.2.4, there have been a change in the mime.php3.dist
> file, causing html attachments not to be viewable anymore. I'd like to know
> more about the security risks. Is there a new risk I should know about or is
> it just closing a forgotten door?
If you read the comments in mime.php3.dist, they explain most of this. We
filter HTML attachments when they are displayed, and do a pretty thorough job
of it. However, browsers a vulnerable to all kinds of silly things that are
discovered all of the time, so I'm simply unwilling to enable the feature by
default, because that would be giving people what I feel is a false sense of
security. You are perfectly welcome to enable the feature yourself, and most
likely we filter anything dangerous. But I want it to be clear that while we
provide the feature for those who need/want it, we don't _guarantee_ that it is
100% safe.
The change was made simply because I realized that it had not been. I meant to
change it quite a while ago.
-chuck
--
Charles Hagenbuch, <chuck@horde.org>
"My intuitive grasp of math often leads me astray." -Me