[rt-users] De-HTML incoming mail requests
Jesse Vincent
jesse at bestpractical.com
Thu May 20 11:53:01 EDT 2004
On Thu, May 20, 2004 at 11:07:20AM +0400, Ruslan U. Zakirov wrote:
> I see your patch, it doesn't all what you wanted this to do.
> It's save place for JavaScript, ActiveX calls injection.
> +$scrubber->default( 0,
> + { '*' => 0, id => 1, class => 1, href => 1, face => 1, size => 1,
> target => 1 } );
> +
> +$scrubber->deny(qw[*]);
> +$scrubber->allow( qw[A B U P BR I HR BR SMALL EM FONT SPAN DIV UL OL LI
> DL DT DD] );
>
> href can contain JS and other weird data.
Indeed. From the docs, it looks like we could restrict to "safe" URI
types: http, https, ftp, gopher. Anything else?
'href' => qr{^(?!(?:java)?script)}i,
'src' => qr{^(?!(?:java)?script)}i,
> Best regards. Ruslan.
>
> Jesse Vincent wrote:
>
> >
> >
> >On Thu, May 20, 2004 at 10:52:28AM +0400, Ruslan U. Zakirov wrote:
> >
> >>This option is for download link, if option is true then you get html
> >>page with attachment download link, without it you get plain text.
> >>
> >>Scrubbing before/after inserting in RT and other methods was discussed
> >>here, search for info.
> >
> >
> >(RT 3.1 will scrub and display html inline.)
--
More information about the rt-users
mailing list