[Mailman-Developers] New Pipermail hacks (was Re: Ok, it works! ...)

Barry A. Warsaw barry@zope.com
Sun, 28 Oct 2001 10:25:12 -0500

>>>>> "DH" == Donal Hunt <donal.hunt2@mail.dcu.ie> writes:

    DH> hey everyone...

    DH> I was thinking of the security issues behind HTML encoded mail
    DH> and one of the things that you could do is strip out all
    DH> "<SCRIPT>" stuff automatically.  Normal HTML mail shouldn't
    DH> generate it and it's one of the main ways of doing malicious
    DH> things when a user opens a mail.

    DH> Thoughts?

In general, I'd prefer to keep Pipermail out of the business of
groking HTML.  The framework is certainly in place to farm such
semantic filtering out to an external program.  Would the lynx filter
shown as an example do the trick?

Also, HTML-escaping as a general rule should prevent <script> and
other evil tags from getting to an archiver viewer, at the expense of
human readability <wink>.
A new Mozilla 1.0 tag which causes the whole application to scroll up
into its title bar and then back down again, rapidly, as if it were
blinking at you.