Problem with HTML disarm

shuttlebox shuttlebox at gmail.com
Fri Dec 21 10:20:53 GMT 2007


I've recently been involved in debugging Nortel HW and their support
made some remarks about how MailScanner disarms HTML I wanted to share
with the list.

When a mail with script tags is received it looks something like this
(tag is intentionally split):

<SCR IPT class=xnet_script>
  {add some javascript code here}
</SCR IPT>

I use disarm and get something like this:

<MailScannerScript6851 SCRIPT class=xnet_script>
  {add some javascript code here}
</MailScannerScript6851>

What happens is depending on the e-mail client/web browser used to
look at the mail different things are rendered. Some (typically
Firefox) show the mail as it was intended but others (typically IE and
Outlook) shows only the script in clear text and nothing of the mail
itself. Nortel said that the more correct way (according to HTML
standards) to disarm scripts would be to insert remark tags like this:

<MailScannerScript6851 SCRIPT class=xnet_script>
  <!--
  {add some javascript code here}
  -->
</MailScannerScript6851>

Anyone else this has happened to? Opinions? Could this be added to MS
for more correct HTML rendering?

-- 
/peter


More information about the MailScanner mailing list