[imp] changes in html viewing (2.2.4)

Chuck Hagenbuch chuck@horde.org
Mon, 12 Feb 2001 10:31:18 -0500


Quoting Robert Marchand <robert.marchand@UMontreal.CA>:

> between IMP 2.2.3 and 2.2.4, there have been a change in the mime.php3.dist 
> file, causing html attachments not to be viewable anymore.  I'd like to know 
> more about the security risks.  Is there a new risk I should know about or is 
> it just closing a forgotten door?

If you read the comments in mime.php3.dist, they explain most of this. We 
filter HTML attachments when they are displayed, and do a pretty thorough job 
of it. However, browsers a vulnerable to all kinds of silly things that are 
discovered all of the time, so I'm simply unwilling to enable the feature by 
default, because that would be giving people what I feel is a false sense of 
security. You are perfectly welcome to enable the feature yourself, and most 
likely we filter anything dangerous. But I want it to be clear that while we 
provide the feature for those who need/want it, we don't _guarantee_ that it is 
100% safe.

The change was made simply because I realized that it had not been. I meant to 
change it quite a while ago.

-chuck

--
Charles Hagenbuch, <chuck@horde.org>
"My intuitive grasp of math often leads me astray." -Me