Submitted by : loony at: 2007-09-15T05:15:27-07:00 (10 years ago)
Name :
Category : Severity : Status :
Optional subject :  
Optional comment :

Content of mails should be cleaned from html-tags and/or the mail should be sent in plaintext AND html-format

not so sure about this --betabug, Sat, 15 Sep 2007 06:52:45 -0700 reply

A lot of people use mail subscriptions as a safeguard against malicious edits. In such a context, if we strip out the html, an edit that will change e.g. an images attribute or a link target will go unnoticed. If we send out edited html pages as html in mail, then those things either won't get noticed or - even worse - they can fool the mail receiver too (e.g. to click on a phishing link).

To be honest... --loony, Sat, 15 Sep 2007 15:34:29 -0700 reply

..what should anybody do with such a garbled mail? Perhaps it should be configurable how the mail is sent or at least turn off sending the content (changes) if it contains html... Anyway, I wrote a patch for it, Mail.py uses stripogram for stripping html tags. Works fine for me. I'll upload it within the next few days, just in case somebody is interested in this...

html is not "garbled" for everybody --betabug, Mon, 17 Sep 2007 05:06:46 -0700 reply

As I've tryed to express before, some people are very much interested to see even minimal changes in page contents. These people know that <a href="http://www.google.com" is not the same as <a href="http://www.evil-spammer.com" (for just one very obvious example. "Cleaning" the edit mails from HTML tags would remove that difference.

So my answer to "..what should anybody do with such a garbled mail?" is "read it, and look for what's really changed" :-)

okay, point taken... but... --loony, Mon, 17 Sep 2007 07:51:32 -0700 reply

we use the wiki for an internal project, so no outsiders will have access to it. For that purpose and for convience of our non-coders I changed the behaviour. You are absolutely right what security matters!

for anybody who wants to have text only... --loony, Mon, 17 Sep 2007 07:54:49 -0700 reply

WARNING: use only if security is not an issue for you (e.g. if your wiki is no accessible for everybody)

NOTE: you need stripogram package in your python path

--- Mail.py     2007-09-15 17:53:35.000000000 +0200
+++ Mail.py     2007-09-15 18:21:58.000000000 +0200
@@ -3,6 +3,8 @@
 import re, sys
 from types import *

+from stripogram import html2text
+
 from I18n import _
 from TextFormatter import TextFormatter
 from Utils import html_unquote,BLATHER,formattedTraceback,stripList, \
@@ -658,7 +660,7 @@
                 self.emailAddressesFrom(
                     self.subscriberList() + \
                     self.wikiSubscriberList(edits=self.isBoring())),
-                text,
+                html2text(text),
                 REQUEST,
                 subjectSuffix=subjectSuffix,
                 subject=subject,
@@ -691,7 +693,7 @@
                          self.wikiSubscriberList(edits=1)
         self.sendMailTo(
             self.emailAddressesFrom(recipients),
-            text,
+            html2text(text),
             REQUEST,
             subjectSuffix=subjectSuffix,
             subject=subject,
@@ -743,7 +745,7 @@

         mailhost = self.mailhost()
         if mailhost.meta_type == 'Secure Mail Host':
-            msg = text + "\n\n" +  self.signature(msgid)
+            msg = html2text(text) + "\n\n" +  self.signature(msgid)
             additional_headers = {
                                 'Reply-To':self.replyToHeader(), \
                                 'X-Zwiki-Version':self.zwiki_version(), \
@@ -807,7 +809,7 @@
                self.pageUrl(),
                self.pageUrl(),
                self.wikiUrl(),
-               text,
+               html2text(text),
                self.signature(msgid),
                )

... --simon, Thu, 20 Sep 2007 09:07:28 -0700 reply

Name: '#1380 Mailout: Subcribed pages containing HTML are sent in plain text format by mail' => '#1380 mailouts from HTML pages are sent in plain text format' Category: general => user-mail Severity: normal => wishlist

I can see the point that sometimes this does not do what a HTML user would want, yet the current system is simple, and I'm not sure how to do better.

In the case of edit mailouts, the HTML is not well-formed, so these need to be plain text. A comment to or creation of a HTML page will probably be well-formed, and could be made into a HTML message part, which is both a win and a loss as noted. HTML in structured text pages is another case to consider.

It's perhaps better to keep things consistent and always send out mails of the same type.

If you can give more detail of how you use zwiki and how the current behaviour is causing you pain, we might think of something.

PS --simon, Thu, 20 Sep 2007 09:07:45 -0700 reply

PS thanks for the patch.