[Mailman-Users] attachments

Mark Sapiro mark at msapiro.net
Wed Apr 16 01:07:13 CEST 2008 

Con Wieland wrote:
>
>On Apr 15, 2008, at 2:58 PM, Mark Sapiro wrote:
>
>> Con Wieland wrote:
>>
>>> My questions are,  why am I getting the html attachments?
>>
>>
>> Because the sender's MUA is sending them and your content filtering is
>> either not on or is not removing HTML and not collapsing alternatives.
>
>Correct it was not on for this example but when I turn it on and select:
>
>Remove message attachments that have a matching content type.			text/ 
>html
>
>I lose the pdf too. How can I configure it to just remove the text/ 
>html and leave the text/plain and application/pdf ?


It depends on how you want to approach things. You can either specify
what you want to accept and filter the rest, or specify what you don't
want and accept the rest. This means you want to specify only one of
filter_mime_types and pass_mime_types and the other should be empty.

If you want to accept any text/plain parts from the message or an
attached (forwarded as attachment) message and likewise for PDFs and
not accept anything else, set filter_mime_types empty and
pass_mime_types to

multipart
message/rfc822
text/plain
application/pdf

If you want to accept everything except html, you would put text/html
in filter_mime_types and leave pass_mime_types empty, but this is
probably a very bad idea. The first problem that comes to mind is you
will pass the plain text from a multipart alternative message and also
pass the stationery background/watermark image file but remove the
html that references the image leaving it as a simple attachment.


>>> and why
>>> are they jibberish?
>>
>>
>> They are not gibberish. They are HTML shown to you as raw rather than
>> rendered HTML.
>
>Yes, gibberish was not the right word. But why aren't they rendered  
>when I click on the link. I am used to just being able to open the  
>link and have them rendered.


Because you don't want a list member posting an HTML message with evil
javascript and getting it stored as renderable html on your web site.
There is an mm_cfg.py setting to allow this, but here's what we say
about it in Defaults.py.

># This variable defines what happens to text/html subparts.  They can be
># stripped completely, escaped, or filtered through an external program.  The
># legal values are:
># 0 - Strip out text/html parts completely, leaving a notice of the removal in
>#     the message.  If the outer part is text/html, the entire message is
>#     discarded.
># 1 - Remove any embedded text/html parts, leaving them as HTML-escaped
>#     attachments which can be separately viewed.  Outer text/html parts are
>#     simply HTML-escaped.
># 2 - Leave it inline, but HTML-escape it
># 3 - Remove text/html as attachments but don't HTML-escape them. Note: this
>#     is very dangerous because it essentially means anybody can send an HTML
>#     email to your site containing evil JavaScript or web bugs, or other
>#     nasty things, and folks viewing your archives will be susceptible.  You
>#     should only consider this option if you do heavy moderation of your list
>#     postings.
<snip>
>ARCHIVE_HTML_SANITIZER = 1

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list