[Mimedefang] Why 'defanged_src' ?

Aaron Paetznick aaronp at critd.com
Mon Sep 30 16:00:01 EDT 2002 

There seems to be little day-to-day impact for using HTMLCleaner versus 
not, except for the img src thing.  I'm thinking "everything except 
images" might be a good option to consider supporting for the cleaner, 
because many larger sites with vocal minorities might not use the 
cleaner altogether just because of the img issue.


--Aaron



Graham Dunn wrote:
> On Mon, Sep 30, 2002 at 01:18:22PM -0600, Ashley M. Kirchner wrote:
> 
>>Aaron Paetznick wrote:
>>
>>
>>>That's Anomy's doing.  I've struggled with this too.  I believe someone
>>>submitted a patch to this list that changes this behavior, but I'm not
>>>sure what the status of that is.  I don't think it is within
>>>MIMEDefang's influence to bypass this problem, you'll need to change the
>>>HTMLCleaner.pm file.
>>>
>>>Once we figure this out, maybe we can distribute a patch with the MD
>>>package (ala MIME-Tools) that fixes this issue.
>>
> 
> ureshii# diff -u HTMLCleaner.pm HTMLCleaner.pm.orig
> --- HTMLCleaner.pm      Thu Jun  6 12:16:05 2002
> +++ HTMLCleaner.pm.orig Thu Jun  6 12:15:30 2002
> @@ -408,7 +408,7 @@
>          "ismap"    => "anything",
>          "loop"     => "alnum",
>          "lowsrc"   => "src",
> -        "src"      => 1,
> +        "src"      => "src",
>          "start"    => "alnum",
>          "usemap"   => "href",
>          "vspace"   => "size",
> 
> 
>>    Before we go that far, maybe we should figure out why first.  There might
>>be a valid reason, I just don't know what it is.  I'd like to hear some
>>arguments on this before making a decision on whether I want to defang img src
>>tags or not.
> 
> 
> AFAIK, the distastful thing about getting img src= in email is that
> your email client goes and fetches that picture, giving the site owner
> a log of who's reading the email that got sent ... I don't know enough
> about web bugs to say this can be used in a similiar fashion.
> 
> I don't defang the img src tags.
> 
> Graham
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list