At 11:52 AM 7/16/00 -0400, Tom Neff wrote:
>Joe Smith <[EMAIL PROTECTED]> wrote:
>> On Wed, Jul 12, 2000 at 01:45:26PM -0400, Tom Neff wrote:
>> > I disagree, because MLM authors have a duty to avoid relying on
>> > dangerous syntaxes like BestServ's pointy-delimited ID string.
>>
>> What exactly is dangerous about angle brackets <> in the Subject: line?
>
>This was already explained,
You may have seen it explained somewhere else, or I could have missed it,
but I don't think it was on this list. And the explanation should apply
to mail bodies as well, I would think.
>but to recap, some mail clients (notably various
>versions of AOL) will interpret HTML tags when displaying Subject (and
>possibly other) email headers. The potential effects range from visual
>annoyance to actual malicious behavior on the user's PC (see the February
>CERT advisory).
This is clearly bad and dangerous software design on the part of
the authors of the AOL mail client(s).
>As Adam Bailey points out, the Internet credo (honored in the breach by
>tiros) is liberal acceptance, conservative emission. In this case that
>means that what SHOULD happen is
> (a) email reading software should aggressively escape or "quote" HTML and
>similar markups found in incoming mail by default, rather than attempting to
>render them, except where the user has permitted otherwise;
> (b) email sending software should avoid the use of SGML/HTML "lookalike"
>markups for their own purposes, and quote/escape any SGML/HTML they do need
>to send, except in an appropriate MIME envelope.
That credo is for machine-generated and machine-interpreted data; it
actually refers to interoperability, and may be found in RFC-1123.
Feel free to misapply it, but I don't think it then supports your
conclusions.
(a) is certainly true, but for other reasons (i.e., security).
The credo as applied to (b) here would be to send meaningful headers
(indeed, the body as well) in plain text rather than HTML. It has
nothing to do with whether what you send happens to use the
same character set as something else.
BestServ's subjects ARE plain text that just happens to contain angle
bracket characters.
I also suspect that BestServ had prior art here, and that HTML in email was
unheard-of at the time.
>In this case, AOL made a mistake in their email reader, to be sure, and
>they'll probably get around to fixing it, but it takes a long time to
>upgrade millions of members and we cannot afford to hold our breaths for the
>duration.
They should not also break the MTA or MDA just because their MUA is broken.
>Anyway as List-Managers we are primarily concerned with the
>SENDING side, and there too, BestServ made a double mistake as I mentioned
>before: enclosing a parsable token in unquoted angle brackets, and insisting
>on seeing them sent back untouched along with the confirmation token itself.
No, BestServ made NO mistake. Angle brackets have never required
quoting in Subjects (and if quoted, that's two characters anyway). And
all tokens are "parsable" as far as I know. And the "untouched" surely
is because THEY ARE *A PART OF* THE CONFIRMATION TOKEN. That's the way the
format was defined at the time. And the subsequent use of HTML in email
(though never should it have been interpreted that way in Subjects)
does not render their original decision a "mistake."
AOL made the mistake(s). BestServ did not.
>> HTML, if present, is in the body of the message, not the headers.
>
>I puzzled over this statement for a minute... I *think* what Joe means is
>that this is what he thought the rules must say. Actually there is no such
>rule, since email formatting predates HTML, and HTML's specification is
>email agnostic. In principle HTML can exist in and CDATA or other readable
>text field, and in practice when you scour the spools you see it quite a bit
>outside the safe confines of a message-body MIME envelope.
Doesn't it require the string "<HTML>" or something to mark the start of HTML
interpretation? If so, I'm guessing that that is NOT present in the
Subject headers in question.
Stan
