[imp] viewing html mail messages

Chuck Hagenbuch chuck@horde.org
Wed, 5 Jun 2002 14:48:52 -0400

Previous message: [imp] viewing html mail messages
Next message: [imp] mail domains
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting jlewis@lewis.org:

> What's the reasoning for having this default to being turned off (i.e. in
> mime_drivers.php.dist)?  Also, in imp/lib/MIME/Viewer/html.php, is it
> really necessary to disable all style tags?  From a quick search, I'm
> guessing this is done to prevent javascript from being run via style
> tags.

Correct. And the reason it's done by default is because it's, no matter how 
we look at it, a gaping security hole. We sanitize a heck of a lot of HTML, 
but browsers are amazingly stupid and lax in what they'll accept as valid 
script code, so someone is probably _always_ going to be able to find a way 
by it. So, we turn it off by default, so that you have to be making a 
_slightly_ informed decision, at least, to open yourself to this.

-chuck

--
Charles Hagenbuch, <chuck@horde.org>
"What was and what may be, lie, like children whose faces we cannot see, in 
the arms of silence. All we ever have is here, now." - Ursula K. Le Guin

Previous message: [imp] viewing html mail messages
Next message: [imp] mail domains
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]