[rt-users] De-HTML incoming mail requests
Ruslan U. Zakirov
cubic at acronis.ru
Thu May 20 03:07:20 EDT 2004
I see your patch, it doesn't all what you wanted this to do.
It's save place for JavaScript, ActiveX calls injection.
+$scrubber->default( 0,
+ { '*' => 0, id => 1, class => 1, href => 1, face => 1, size => 1,
target => 1 } );
+
+$scrubber->deny(qw[*]);
+$scrubber->allow( qw[A B U P BR I HR BR SMALL EM FONT SPAN DIV UL OL LI
DL DT DD] );
href can contain JS and other weird data.
Best regards. Ruslan.
Jesse Vincent wrote:
>
>
> On Thu, May 20, 2004 at 10:52:28AM +0400, Ruslan U. Zakirov wrote:
>
>>This option is for download link, if option is true then you get html
>>page with attachment download link, without it you get plain text.
>>
>>Scrubbing before/after inserting in RT and other methods was discussed
>>here, search for info.
>
>
> (RT 3.1 will scrub and display html inline.)
More information about the rt-users
mailing list