Jeremy Howard wrote:
> I'm interested in providing 'HTML email' support for my users
> (like HotMail, Outlook Express, Eudora 4.0, etc provide), but
> I'm very nervous about security. Essentially, providing HTML
> email involves letting any arbitrary HTML get displayed by Apache...
I've been through this problem with my webmail program, acmemail.
The problem is much greater with webmail than general other web
applications due to the fact that you actually want to allow HTML
emails to display properly.
I currently use some code based on John Hardin's "Defang HTML
active-content tags" routine in his procmail security package.
<URL:http://www.wolfenet.com/~jhardin/procmail-security.html>
He's been working on it for a while, and appears to have it
down to a fine art. It hopefully disables any (possibly malicious)
code in an HTML message.
However, I'm sure it doesn't cope with everything. Someone should
really come up with an ultimate, general, solution...
Leon
--
Leon Brocard | perl "programmer" | [EMAIL PROTECTED]
