[rt-devel] text/html -> text/plain cleverness.
Jesse Vincent
jesse at bestpractical.com
Fri Feb 28 12:12:40 EST 2003
On Fri, Feb 28, 2003 at 05:10:44PM +0000, J. Sloan wrote:
> On Fri, 28 Feb 2003, Jesse Vincent wrote:
>
> > So, the reason that change is there is to stop a cross-site scripting
> > attack. What advantages do you have displaying a message/rfc822 as
> > text/plain?
>
> The same - a message/rfc822 message with text/html attachments bypasses
> the simple text/html check and displays as html (in mozilla certainly).
Ah. I wasn't aware of the mozilla behaviour... though, actually, RT3
_should_ be recursing and ripping those attachments out to seperate
attachments in the database.
> We have a queue for people to forward us spam (to aid filter tweaking) in
> which we see quite a few of these.
>
> John
>
--
http://www.bestpractical.com/rt -- Trouble Ticketing. Free.
More information about the Rt-devel
mailing list