Skip to Content.
Sympa Menu

en - RE: [sympa-users] filtered HTML in homepages from lists

Subject: The mailing list for listmasters using Sympa

List archive

Chronological Thread  
  • From: Steve Shipway <address@concealed>
  • To: Guenter Lau <address@concealed>
  • Cc: "address@concealed" <address@concealed>
  • Subject: RE: [sympa-users] filtered HTML in homepages from lists
  • Date: Thu, 6 Dec 2012 11:01:12 +0000

> File homepage from lists does not work.
> sympa shows only text, but no images and no links.
>
> In sympa 5..., we have lists with a customizing homepage.
> The same file homepage in sympa 6.1.14 does not work.

This seems to be deliberate in the code, particularly the stripping of HTML
links. This also happens in the archives :(

We got around it by making a couple of changes:

First, to the mhonarc-ressources.tt2, in order to prevent link stripping in
the archives, look for the MIMARGS and change it to be like this:

<MIMEARGS>
text/plain; asis=us-ascii:iso-8859-1:iso-8859-2 nonfixed quote htmlcheck
maxwidth=78 link="http,https,ftp,mailto"
text/html; asis=us-ascii:iso-8859-1:iso-8859-2 allownoncidurls
m2h_external::filter; subdir usename
</MIMEARGS>

Next, in lib/tools.pm, in subroutine _create_xss_parser, add these to the
parameters given to the new() function:

AllowHref => 1, AllowMailto => 1,

This stops links being stripped out and makes these types of links get
autocreated if found in the info page (one of the requirements we had)

Then, in wwsympa.cgi, around line 16900, you see this:

$param->{'htmlToFilter'} = {
'homepage_content' => 1,
'info_content' => 1,
};

This defines which parameters have HTML stripped out. If you remove them
from here and add them to the above htmlAllowedParam then people can put HTML
into these options. We did not make this change for this reason. Possibly
you would want to strip from info_content but not from homepage_content?

Having said all this, there is a definite security risk from removing all the
sanitisation code. Someone could do some damage to your web interface,
either maliciously or through ignorance. You might want to leave some of it
in there. The info above pertains to 6.1.11 but I believe 6.1.14 is pretty
much identical in this respect.

Steve



Steve Shipway
ITS Unix Services Design Lead
University of Auckland, New Zealand
Floor 1, 58 Symonds Street, Auckland
Phone: +64 (0)9 3737599 ext 86487
DDI: +64 (0)9 924 6487
Mobile: +64 (0)21 753 189
Email: address@concealed
 Please consider the environment before printing this e-mail :
打印本邮件,将减少一棵树存活的机会


Attachment: smime.p7s
Description: S/MIME cryptographic signature




Archive powered by MHonArc 2.6.19+.

Top of Page