iframe dilemma: a compromise?

David Lee t.d.lee at DURHAM.AC.UK
Wed Nov 6 16:06:18 GMT 2002

On Wed, 6 Nov 2002, Tal Kelrich wrote:

> On Wed, 2002-11-06 at 14:38, Julian Field wrote:
> > So, say you have
> >          Allow IFrame Tags = yes
> > but you also have a new option
> >          Convert Dangerous HTML to Text = yes
> > then the message contents would be allowed through (by the 1st option) but
> > it would be stripped down to plain text (by the 2nd option). The definition
> > of "Dangerous" in this context is HTML containing either IFrame tags or
> > Object Codebase tags.
> how about converting it into slightly less dangerous HTML? (assuming
> users still want their HTML mail intact, which I think will mostly be
> the case)
> ie, turn IFRAME into DIV or something similar.

So, to generalise, Julian's suggested binary switch:
   Convert Dangerous HTML to Text = yes

this could become something vaguely like:
   Convert Dangerous HTML = {text|div|\&perl_routine|...}

Note the "vaguely like": this is simply exploration of ideas.

The "text" would strip out the iframe (result is a text message containing
HTML tags: not spectacularly user-friendly, but simple and vaguely

The "div" would convert the "iframe": presumably the result would be
modified HTML, still viewed in a WWW-browser-like window.

The "\&perl_routine" would allow a site to have its own code.  (Analogy: I
recall some discussion about some sort of "Custom" facility.)  For
instance, that "perl_routine" might somehow invoke a custom, safer
browser (perhaps lynx?).  All very hand-wavy!


:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 374 2882                  U.K.                  :

More information about the MailScanner mailing list