Convert Dangerous HTML feature

Lancaster, David Matthew dml at UNB.CA
Thu Oct 16 17:35:23 IST 2003

Quoting Peter Peters <P.G.M.Peters at>:

> On Thu, 16 Oct 2003 09:59:22 -0300, you wrote:
> >The HTML Forms option is causing a bit of grief here.
> >
> >I had briefly blocked HTML forms, but a number of users receive legitimate
> >newsletters with forms in them. (search boxes, etc.)
> >
> >So I disabled the block HTML Forms option....but now HTML emails with form
> tags
> >are converted to text, since I have the "Convert Dangerous HTML To Text"
> option
> >set to yes.
> I use rules to only allow in mail from certain senders.

Yeah, did that for a few days while evaluating the impact.

> >Now, I appreciate this feature, since it permits IFRAMES and OBJECT
> >ridden emails to be passed while mitigating the dangers of such.
> >
> >So, what I'm wondering is, can the "Allow ..." and "Convert" options be
> changed
> >to allow a fine-grain level of control.
> >
> >Perhaps something like:
> >Allow Object Codebase Tags = convert
> >Allow IFrame Tags = convert
> >Allow Form Tags = yes
> You could use the same rulesets for the Allow-rules and the
> Convert-rules but reversed. An address in the Allow-rule with a yes
> would end up in the convert-rule with a no. You can even write a script
> that converts the one rule-file tot the other whil replacing yes and no.

Yes, but I'd prefer to not have to keep adding to the lists.

I just foresee more items (e.g. javascript, webbugs, lazy html) being added as
triggers to the "Convert Dangerous..." function, but only wanting some of the
of the triggers active.


More information about the MailScanner mailing list