From: Peter C. McCluskey (pcm@rahul.net)
Date: Thu Nov 15 2001 - 16:27:37 CST
franklin.lists@qdefense.com (Franklin DeMatto) writes:
>As for the cross site scripting, I see no solution other then an option to
>disallow all attachments and MIME types other than text/plain. I did not
>see this option in the docs - I'll work on adding a patch. If someone
I think you can accomplish what you want by using this option:
text_types = *
which is designed to cause all MIME types to be treated as text/plain.
I've done a few tests, and haven't found a way to get arbitrary html
tags past it, but I don't understand that part of the code well enough
to offer anything resembling a guarantee.
The result is ugly enough in many cases that I would be reluctant to
make it the default. It appears that the main change that is needed is
conspicuous documentation of the risks of using hypermail in combination
with SSI. I will make some changes along those lines soon.
------------------------------------------------------------------------------
Peter McCluskey | Free Dmitry Sklyarov! http://www.freesklyarov.org/
http://www.rahul.net/pcm |