$Cambridge: hermes/src/prayer/docs/SECURITY,v 1.1.1.1 2003/04/15 13:00:03 dpc22 Exp $

text/HTML model implemented by sqwebmail and adopted by Prayer

Browser Security - HTML

   SqWebMail has the ability to display HTML E-mail, which leads to
   several complicated situations regarding embedded Javascript or Java
   applets that try to grab the mailboxid of the recipient (amongst other
   things). SqWebMail attempts to remove all forms of scripting from HTML
   E-mail as follows:
     * The following HTML tags are removed: <SCRIPT>, </SCRIPT>, <APP>,
       </APP>, <APPLET>, </APPLET>, <SERVER>, </SERVER>, <OBJECT>,
       </OBJECT>, <HTML>, </HTML>, <HEAD>, </HEAD>, <BODY>, </BODY>,
       <META>, <TITLE>, </TITLE>, <FRAME>, </FRAME>, <LINK>, <IFRAME> and
       </IFRAME>.
     * The following HTML attributes are stripped from every tag:
       ONLOAD=, ONMOUSEOVER=, and all ON*= attributes; TARGET=, CODE=,
       CODETYPE=, and LANGUAGE= are removed; TARGET=_blank is added to
       all <A> tags.
     * The HREF and SRC attributes are stripped, unless the URL starts
       with one of the following: http:, https:, ftp:, gopher:, wais:, or
       telnet, and cid:.
     * The HREF and SRC attribute values are prefixed with a URL that
       will resolve to SqWebMail, and with an additional TARGET="_blank"
       attribute. A request to that resulting URL will result in a blank
       page with a 0-second refresh to the original URL. This method
       strips mailbox IDs from Referer: tags sent to external web site.
       If the HREF attribute starts with a cid:, it is replaced by an
       http: reference to SqWebMail that will return the specified MIME
       part.
     * IMG tags are removed and replaced with an A tag, in order to keep
       the HTTP client from automatically loading any images from
       external web sites, upon opening a given message.