On 9/8/25 15:38, Sam Darwin via Mailman-users wrote:
Or, the more the topic is discussed, I see there are two parts. Hyperkitty rendering is one of them. The other being to find a way to sanitize HTML of outgoing emails.
If you want to accept HTML in posts, you should ensure that only trusted users can post. This is good practice anyway to avoid spam on the lists. Then you don't have to be too concerned about malicious HTML.
I was asking if you envisioned that a text/html part outside of a multipart/alternative part would cause mailman to create a text/plain alternative and package it with the text/html part in a multipart/alternative part. But if that was not your intent, OK.
I hadn't thought about that situation.
Maybe it is relevant after all. And then, you said that you are not interested in doing that. It might need to be investigated along with these other features. Not sure.
You can currently convert HTML to plain text, but that replaces the HTML. I understand you want both so your users have the option of seeing one or the other depending on MUA settings, but I don't see a demand for a feature like that.
The issue is not in the plain text converted from the HTML by Mailman's Convert html to plaintext feature. The issue is in the text/plain alternative created by Yahoo when a message is composed as "rich text" and created by Yahoo as multipart/alternative. Were you looking at that text/plain alternative part from Yahoo., i.e. what you see in the outgoing mail if Collapse alternatives is Yes.
The list's settings are Collapse alternatives=Yes and Convert html to plaintext=YES. Standard "plain" URLs are ok, but I was just now able to replicate some sort of problem. Using the yahoo toolbar, a fully HTML hyperlink with an href and name failed to render in plain text. It resulted in just plain text without appearing as a "link".
If you are saying it resulted in the URL being rendered in the text/plain alternative as a text string, that is not what I see.
I just composed a message from Yahoo to a non-yahoo address. I created the message in Yahoo's HTML editor. It simply said "Hi mark. Here's a link." after which I pasted today's Google Doodle link. In the resultant message the HTML part rendered as
Hi mark. Here's a link. Google Search
where "Google Search" was the above link I had pasted and this was also followed by a Google Search graphic which was also the same link.
However the text/plain part in its entirety (minus my signature) was
Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi mark. Here's a link. Google Search
|=20 |=20 | |=20 Google Search
|
|
|
The display text "Google Search" was in the text plain part, but the text of the link itself appeared nowhere in the text/plain part
interesting... The future plan would be to set all filtering to NO. All MIME parts delivered. But then, what if a plain-text version is missing somehow.
Then the message will contain only the HTML. But if you do that, malicious HTML and missing plain text will be the least of the things to be concerned about. All sorts of malicious malware can be attached to email in other than HTML parts.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan