Re: [Lurker-users] How to prefer HTML if a message has both plain and HTML?
Brought to you by:
terpstra
Menu
▾
▴
Re: [Lurker-users] How to prefer HTML if a message has both plain and HTML?
|
From: Wesley W. T. <we...@te...> - 2013-10-05 13:40:58
|
On Fri, Oct 4, 2013 at 9:39 PM, Kaz Kylheku <ka...@ky...> wrote: > ** > > My Lurker installation now has a "html_filter" configuration option. Here > you can specify a command to use to sanitize the HTML. If nothing is > specified, there is no filtering. > Before you spend too much time on this, I just wanted to make sure you understand that I have no intention of integrating these changes into the official lurker package. I consider html an inherently dangerous and constantly evolving language. There are practically no tags that cannot be abused via the addition of javascript events. Even if you filter out was is dangerous today, an updated HTML specification may make previously harmless tags a vector for cross-site scripting attacks. See, for example, the development of CSS. If you want to filter HTML in your copy of lurker, go for it, but I will not include what I consider an inherently unsafe feature in software I distribute. |
