SubEtha Users <users@subethamail.org>
From shop Jun 15, 2009 5:02 PM
My definition of sanitized is fairly straight forward: - No scripts - No scripts in links (somewhat redundant, I know) - No links that point directly off-site - No embeds that point directly off-site (displaying attached images is fine) This would, of course, break quite a few HTML e-mails, but should be reasonable. A little simple encoding with a seed generated randomly per page view for links and off-site embeds which could be reversible in the browser with JavaScript if a user agrees should handle that problem. This would give you an Outlook- and Thunderbird-like "Enable links and embedded images in this message" button. Using a separate root subdirectory (subethamail.org/disp/* instead of subethamail.org/se/*) for display of HTML e-mails would let you restrict cookies to the /se/* path and reduce the chance of cookie stealing. From: users@subethamail.org [mailto:users@subethamail.org] On Behalf Of Jon Stevens Sent: Monday, June 15, 2009 4:50 PM To: users@subethamail.org Subject: Re: HTML e-mail support I'm not disagreeing with you about the quality of the display of our archives. It could definitely use some improvement. It would be pretty easy to modify the template to not show anything other than the text/plain portion, but then what happens when there isn't a text/plain portion? You would get a blank page. A link to a sanitized* HTML version is also just as hard to securely display in a linked page as it would be in the actual page. * define 'sanitized'. No embedded content? Nothing that can steal your cookies? So, if you come up with a workable solution that makes you happy, let me know. Unfortunately, we are dealing with a pretty complicated problem here. jon My blog: http://lookfirst.com/ On Mon, Jun 15, 2009 at 3:42 PM, shop <shop@pmcs-inc.com<mailto:shop@pmcs-inc.com>> wrote: Pretty would be nice... Ideally I'd like to see the plain text version, or a properly sanitized version if it's not multipart in the archives. A link to a sanitized HTML version would be nice, as embedding it directly or displaying as-is is a fairly bad idea from a security and privacy perspective. -Chris From: users@subethamail.org<mailto:users@subethamail.org> [mailto:users@subethamail.org<mailto:users@subethamail.org>] On Behalf Of Jon Stevens Sent: Monday, June 15, 2009 3:36 PM To: users@subethamail.org<mailto:users@subethamail.org> Subject: Re: HTML e-mail support Well, that is up for interpretation. =) How would you like it to appear in the archives? jon My blog: http://lookfirst.com/ On Mon, Jun 15, 2009 at 3:26 PM, shop <shop@pmcs-inc.com<mailto:shop@pmcs-inc.com>> wrote: Though not in the archive... From: users@subethamail.org<mailto:users@subethamail.org> [mailto:users@subethamail.org<mailto:users@subethamail.org>] On Behalf Of Jon Stevens Sent: Monday, June 15, 2009 2:57 PM To: users@subethamail.org<mailto:users@subethamail.org> Subject: Re: HTML e-mail support Clearly handles it just fine. jon On Mon, Jun 15, 2009 at 2:49 PM, shop <shop@pmcs-inc.com<mailto:shop@pmcs-inc.com>> wrote: Looking at the documentation<http://code.google.com/p/subetha/w/list> and mailing list archives<http://www.subethamail.org/se/archive.jsp?listId=4>, it is not clear how well SubEtha handles HTML e-mails such as this one. Would you enlighten me please? I'm hoping to deploy SubEtha, well, tomorrow. [cid:image001.jpg@01C9EDDA.09697750]
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:1121149721;
mso-list-type:hybrid;
mso-list-template-ids:-1630525572 478346350 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:1325;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>My definition of sanitized is fairly straight forward:<o:p></o:p></span></p>
<p class=MsoListParagraph style='margin-left:.75in;text-indent:-.25in;
mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>-<span
style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>No scripts <o:p></o:p></span></p>
<p class=MsoListParagraph style='margin-left:.75in;text-indent:-.25in;
mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>-<span
style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>No scripts in links (somewhat redundant, I know)<o:p></o:p></span></p>
<p class=MsoListParagraph style='margin-left:.75in;text-indent:-.25in;
mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>-<span
style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>No links that point directly off-site<o:p></o:p></span></p>
<p class=MsoListParagraph style='margin-left:.75in;text-indent:-.25in;
mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>-<span
style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>No embeds that point directly off-site (displaying attached
images is fine)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>This would, of course, break quite a few HTML e-mails, but
should be reasonable.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> A little simple encoding with a seed generated randomly
per page view for links and off-site embeds which could be reversible in the browser
with JavaScript if a user agrees should handle that problem. This would give
you an Outlook- and Thunderbird-like “Enable links and embedded images in
this message” button.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Using a separate root subdirectory (subethamail.org/disp/* instead
of subethamail.org/se/*) for display of HTML e-mails would let you restrict
cookies to the /se/* path and reduce the chance of cookie stealing.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
users@subethamail.org [mailto:users@subethamail.org] <b>On Behalf Of </b>Jon
Stevens<br>
<b>Sent:</b> Monday, June 15, 2009 4:50 PM<br>
<b>To:</b> users@subethamail.org<br>
<b>Subject:</b> Re: HTML e-mail support<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>I'm not disagreeing with you about the quality of the
display of our archives. It could definitely use some improvement.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<p class=MsoNormal>It would be pretty easy to modify the template to not show
anything other than the text/plain portion, but then what happens when there
isn't a text/plain portion? You would get a blank page. A link to a sanitized*
HTML version is also just as hard to securely display in a linked page as it
would be in the actual page.<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>* define 'sanitized'. No embedded content? Nothing that can
steal your cookies?<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>So, if you come up with a workable solution that makes you
happy, let me know. Unfortunately, we are dealing with a pretty complicated
problem here.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>jon<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br clear=all>
My blog: <a href="http://lookfirst.com/">http://lookfirst.com/</a><br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal>On Mon, Jun 15, 2009 at 3:42 PM, shop <<a
href="mailto:shop@pmcs-inc.com">shop@pmcs-inc.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p><span style='font-size:11.0pt;color:#1F497D'>Pretty would be nice…</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>Ideally I’d like to see
the plain text version, or a properly sanitized version if it’s not
multipart in the archives. A link to a sanitized HTML version would be nice, as
embedding it directly or displaying as-is is a fairly bad idea from a security
and privacy perspective.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>-Chris</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:
10.0pt'> <a href="mailto:users@subethamail.org" target="_blank">users@subethamail.org</a>
[mailto:<a href="mailto:users@subethamail.org" target="_blank">users@subethamail.org</a>]
<b>On Behalf Of </b>Jon Stevens<br>
<b>Sent:</b> Monday, June 15, 2009 3:36 PM</span><o:p></o:p></p>
<div>
<p class=MsoNormal><br>
<b>To:</b> <a href="mailto:users@subethamail.org" target="_blank">users@subethamail.org</a><br>
<b>Subject:</b> Re: HTML e-mail support<o:p></o:p></p>
</div>
</div>
<div>
<p> <o:p></o:p></p>
<p>Well, that is up for interpretation. =) How would you like it to appear in
the archives?<o:p></o:p></p>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p>jon<o:p></o:p></p>
</div>
<div>
<p style='margin-bottom:12.0pt'><br clear=all>
My blog: <a href="http://lookfirst.com/" target="_blank">http://lookfirst.com/</a><o:p></o:p></p>
<div>
<p>On Mon, Jun 15, 2009 at 3:26 PM, shop <<a href="mailto:shop@pmcs-inc.com"
target="_blank">shop@pmcs-inc.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p><span style='font-size:11.0pt;color:#1F497D'>Though not in the
archive…</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:
10.0pt'> <a href="mailto:users@subethamail.org" target="_blank">users@subethamail.org</a>
[mailto:<a href="mailto:users@subethamail.org" target="_blank">users@subethamail.org</a>]
<b>On Behalf Of </b>Jon Stevens<br>
<b>Sent:</b> Monday, June 15, 2009 2:57 PM<br>
<b>To:</b> <a href="mailto:users@subethamail.org" target="_blank">users@subethamail.org</a><br>
<b>Subject:</b> Re: HTML e-mail support</span><o:p></o:p></p>
</div>
<div>
<div>
<p> <o:p></o:p></p>
<p>Clearly handles it just fine.<o:p></o:p></p>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p>jon<o:p></o:p></p>
</div>
<div>
<p style='margin-bottom:12.0pt'> <o:p></o:p></p>
<div>
<p>On Mon, Jun 15, 2009 at 2:49 PM, shop <<a href="mailto:shop@pmcs-inc.com"
target="_blank">shop@pmcs-inc.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p>Looking at the <a href="http://code.google.com/p/subetha/w/list"
target="_blank">documentation</a> and <a
href="http://www.subethamail.org/se/archive.jsp?listId=4" target="_blank">mailing
list archives</a>, it is not clear how well SubEtha handles HTML e-mails such
as <i>this one</i>.<o:p></o:p></p>
<p> <o:p></o:p></p>
<p>Would you enlighten me please? I’m hoping to deploy SubEtha, well,
tomorrow.<o:p></o:p></p>
<p> <o:p></o:p></p>
<p><img border=0 width=247 height=251 id="_x0000_i1025"
src="cid:image001.jpg@01C9EDDA.09697750" alt=sewious.jpg><o:p></o:p></p>
</div>
</div>
</div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>
