[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Potential bug with image handling in MH 2.6.0?
On March 5, 2003 at 18:41, "Edward Wildgoose" wrote:
> I really need to think about how to let them keep the functionality, because
> to a large extent they don't/needn't care about Outlook bugs... I wonder if
> most browsers would display this correctly if I completely removed the
> erroneous "height" tag and just left the width tag?
Then the image would be displayed with natural height of the image,
probably causing a even larger distortion.
> Also, apologies for my ignorance, but what sort of XSS vulnerabilities do I
> expose myself to if there is a password protected update mechanism. Is the
> risk that a particular user could upload something nasty for when another
> user views it?
Correct. It all comes to a matter of much you trust the sender of
the message. Since anyone can view the archived message, a person
could include scripting in an attempt to steal information, like
a cookies from those who view the message.
> Also, is it easy for me to modify the code to allow limited style tags to be
> available?
Depends on what you want to limit. Ideally, you want to avoid having
to do full CSS syntax parsing.
> Can you point me to the relevant lines please? (Perhaps I could
> use a regexp to allow only style tags with height and width attributes?)
See mhtxthtml.pl.
--ewh
---------------------------------------------------------------------
To sign-off this list, send email to majordomo@mhonarc.org with the
message text UNSUBSCRIBE MHONARC-USERS
[Index of Archives]
[Bugtraq]
[Yosemite News]
[Mhonarc Home]