franklin.lists_at_qdefense.com (Franklin DeMatto) writes:
>As for the cross site scripting, I see no solution other then an option to
>disallow all attachments and MIME types other than text/plain. I did not
>see this option in the docs - I'll work on adding a patch. If someone
I think you can accomplish what you want by using this option:
text_types = *
which is designed to cause all MIME types to be treated as text/plain. I've done a few tests, and haven't found a way to get arbitrary html tags past it, but I don't understand that part of the code well enough to offer anything resembling a guarantee. The result is ugly enough in many cases that I would be reluctant to make it the default. It appears that the main change that is needed is conspicuous documentation of the risks of using hypermail in combination with SSI. I will make some changes along those lines soon.
This archive was generated by hypermail 2.2.0 : Thu 22 Feb 2007 07:33:53 PM GMT GMT