HTML Attachments and Allow Script Tags = disarm

Russell Lahti rlahti at stellarbb.com
Tue Dec 6 18:09:50 UTC 2022


I’ve been under the impression that the “Allow Script Tags” parameter applied to attachments, but it seems to not be the case if you use the “disarm” value.
Mailscanner accurately detects that there is a script tag in the html attachment, but the disarm functionality seems to be limited to the email body only, and not to the attachments.
I tracked this down to Message.pm, where DisarmHTMLEntity is only ever called once, and only if the entity is *not* an attachment:

  if ($entity->head->mime_attr('content-disposition') !~ /attachment/i &&
      $entity->head->mime_attr('content-type')        =~ /text\/html/i) {

I modified this to also apply to attachments, and confirmed that it did disarm as expected.
I was just curious why there was a difference between the initial detection of the presence of the script tag in SweepContent.pm, and the subsequent handling of that script tag in Message.pm?

Is this the expected behavior?  I’m aware of options for blocking and tagging of html attachments utilizing sa, and that handling of attachments is different from message body, but was curious about this specific scenario which seemed like a discrepancy to me.

Thank you,

-Russell

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20221206/09846861/attachment.html>


More information about the MailScanner mailing list