GroupServer and HTML Email

title=”Google updates Postini spam engine to stop new JavaScript attacks”>A
recent article in Network World

made me very glad that GroupServer (and OnlineGroups.Net, by extension)
only displays plain-text email
messages.1
The problem is this:

  • Fancy formatting in email uses system called HTML.
  • HTML can contain a programming language called JavaScript.
  • JavaScript can do evil.
  • It is very difficult to remove the JavaScript from the HTML.

HTML is the format that all Web pages are written in, including
this one.
It allows all the things you would expect of word-processors, such as
making text bold, adding bullet lists, and breaking the text into paragraphs.
Email messages are often sent with both a plain-text and a
HTML version.2

JavaScript is normally used to provide little interactive tweaks to an
HTML page.
For example, JavaScript changes the Search button on
this search page
to say Processing… when you click it.
JavaScript allows me to make these small improvements that make
GroupServer easier to use.

Sadly, JavaScript can be used to carry out nefarious activity —
just like telephones allowed prank calls, and email allowed spam.
It was this problem that Google came across.
Ne’er-do-wells sent messages with Javascript in it; the messages did
unexpected things, such as
forwarded the user’s browser to a pharma site or tried to download
something unexpected

according to
title=”Official Google Enterprise Blog”>Google.
A few years ago Google purchased an entire company,
Postini,
to help them deal with this sort of problem.
Despite all the effort by Google some nefarious JavaScript managed to get through to GMail, which is what prompted the article in Network World.

It is possible to strip JavaScript from a page, but spotting the
JavaScript is surprisingly hard.3
Thankfully, there are
title=”htmllaundry: Python Package Index”>tools that clean the
HTML, and I would love to integrate one into GroupServer.
Sadly, the HTML can be quite different after it has been cleaned.4
Each of the different email programs (Microsoft Outlook, Apple Mail, Mozilla
Thunderbird, Eurora, IBM Lotus Notes, Google Gmail, Microsoft Hotmail,
Yahoo! Mail, Novell Evolution, Pegasus Mail…)
produces a slightly different variant of HTML.
Checking what the messages from each program looks like after cleaning is a
daunting task.

I want
GroupServer to support HTML email.

However, the task is way down on my todo
list: it is currently job 126.
In the mean time, I am please that our pages, and the members of the groups
run by GroupServer, are safe.

Footnotes

  1. The HTML version of the message is stored and
    forwarded on to the other group members. However, GroupServer only
    displays plain text on the website.
  2. The HTML produced by most email clients does
    not conform to any standard that I know of.
    It is truly awful stuff.
  3. href=”http://en.wikipedia.org/wiki/Cross_Site_Scripting”>The
    Wikipedia page on Cross Site Scripting
    details a few ways that different systems try and overcome this
    problem.
    It also links to the
    Browser
    Security Handbook
    , which shows some of the many ways
    JavaScript code can be hidden.
  4. One of the problems is with the style
    attribute.
    It normally controls how things looks, and is a good thing.
    Sadly,
    href=”http://code.google.com/p/doctype/wiki/ArticleXSSInStyle”>JavaScript
    can be embedded in the style attribute.
    Removing the style attribute would be the safest thing
    to do, but doing so changes what a message looks like.

[This post is based on
title”What is your current thought on HTML: GroupServer Development: GroupServer.org”>a topic
in the GroupServer Development Online Group.]

Leave a Reply

You must be logged in to post a comment.