Topics

locked HTML safety in posted messages


 

dg,

And another FYI - it came through fine to my email - TBird, set up to
read HTML, but only compose in ascii.
Me too.

Mark Fletcher wrote:

Just FYI, the reason the other message doesn't show up correctly in the
archives is that you cut and pasted HTML radio button widgets.
I'm not sure what all the ramifications might be, but would it make sense for the email message bodies passed through also be "sanitized" - stripped of potentially harmful tags - just as the archive copy is?

That could provide a higher degree of confidence for members of Groups.io groups.

-- Shal


 

On Thu, Jan 15, 2015 at 10:39 PM, Shal Farley <shal@...> wrote:

I'm not sure what all the ramifications might be, but would it make sense for the email message bodies passed through also be "sanitized" - stripped of potentially harmful tags - just as the archive copy is?

That could provide a higher degree of confidence for members of Groups.io groups.

That's an interesting thought but I'm not sure it would improve anything. At this point, I've got to believe that most(all?) modern email clients have been hardened against these kinds of attacks. 

Mark


 

Mark,

That's an interesting thought but I'm not sure it would improve
anything. At this point, I've got to believe that most(all?) modern
email clients have been hardened against these kinds of attacks.
Except for dinosaurs like me, who insist on using an Email client that hasn't seen an update since 2006 (Eudora Classic). On the other hand, when using its internal HTML rendering it supports so few HTML features (and no scripts at all) that it might be considered hardened. Or perhaps just petrified.

One benefit of having the emails match the archive is just that: the same user experience. But of course the downside is the flip side of that: some group might depend on a feature that is safe (enough) for them, but stripped in the archive.

Oh well, it was just a thought.

-- Shal