On 01Sep2015 14:39, David Champion <d...@bikeshed.us> wrote:
* On 01 Sep 2015, mwnx wrote:
Thanks. I didn't know you could do that. It seems that it requires
'allow_ansi' to be set to 'yes' though. To my understanding, this allows
ANSI sequences in the original message to be interpreted, which, as
suggested by mutt's manual, does pose somewhat of a security risk.
It would be nice to have a way to have an option like 'allow_display_ansi'
which would permit ANSI sequences to be added by the display filter while
still filtering out ANSI sequences present in the original message. Oh well,
... maybe I'll see about writing a patch.
I'm not sure there's really any security risk in allow_ansi. (Perhaps
there was once, I don't recall.) Looking quickly at the ANSI-handling
code, it seems to allow only colors and text attributes (bold,
underline, etc). It doesn't appear to do anything with the more
dangerous sequences.
I also thought allow_ansi didn't do anything risky. It is just parsing a very
limited set of attribute escape sequences in the input; the output is as
normal. In particular, IIUC, it isn't passing the ANSI sequences _through_ to
the display. It is parsing a few and setting the various markup features in the
output, which are then rendered in the normal curses highlighting/colouring
processes.
Cheers,
Cameron Simpson <c...@zip.com.au>
TeX: When you pronounce it correctly to your computer, the terminal may
become slightly moist. - D. E. Knuth.
