Authentication-Results: mail-b.sr.ht; dkim=pass header.d=vpzom.click header.i=@vpzom.click; dkim=pass header.d=messagingengine.com header.i=@messagingengine.com
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26])
	by mail-b.sr.ht (Postfix) with ESMTPS id 694C1FF109
	for <~vpzom/lotide@lists.sr.ht>; Tue, 29 Dec 2020 17:48:41 +0000 (UTC)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
	by mailout.nyi.internal (Postfix) with ESMTP id 38F305C016A
	for <~vpzom/lotide@lists.sr.ht>; Tue, 29 Dec 2020 12:48:41 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
  by compute1.internal (MEProxy); Tue, 29 Dec 2020 12:48:41 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vpzom.click; h=
	subject:to:references:from:message-id:date:mime-version
	:in-reply-to:content-type; s=fm2; bh=4/ypNd9nmVFCxZjBcSRekwkcpGk
	ixXnFhIhQe6VC2FU=; b=wKXLtV8sHeVWtha6c8yOXY2hGbFQqEWZkdDkz6tkzBX
	1x01Mfyz+UZEeXIbY3nJVd4GtkNBGWj7XQdbahrsJJJ3oMomll65XfTSysRrzYUS
	MJkE4afxbrP4Lf91Or/swS25enof33aiO1Gqi8HnSmt+QBbg6eEmLVkw/lRpVbRx
	YP+XsMkY8QaaehtrR0xk8FJ09V2btXV5AjvStsGQmLzQz8QUs04y6rrKp02Vj3pP
	4YyzMgGQYOmeWI48703WK27wqJfC/pXfVkV34tv0Z5xydBUI/kviecFJAiy/xKEn
	D5HFNfhlcMcojp63gmAxz9oZ5sV09LxxTXfxY9ThBlw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=content-type:date:from:in-reply-to
	:message-id:mime-version:references:subject:to:x-me-proxy
	:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=4/ypNd
	9nmVFCxZjBcSRekwkcpGkixXnFhIhQe6VC2FU=; b=IO9mAhyvkX5dSxk9OlfQuN
	YTW1cORIJLg1DMSbDU53JFOOToFUeOfJr+ajp96AvJJ5kQ1d8p8lt6uo8CJ6txFf
	or7d7vJB4z8T2QxlD8VDrD9m/sUflYGD0K6qu031+DiudZkLj4bE2sw8AI6al223
	QY6uPx0v2vOvJg8MWfaIUrvaZkqQycV4Rr0SX9n4y1jelDcngiBgbGcE/FuDYI00
	x7r9nyLargo5UDKfYx399QJYyyobFFM3eMcel6XVbh6Upud889xOl+W9ahttvjYD
	UMsqLAA5VHf+Ip2SEs4Zu5h6tpTbkMgobwlNK8GcHyfAVwsnyR7ZWTU4hPqGT5oA
	==
X-ME-Sender: <xms:-GvrX35w85kjg4SjExw0ihuPi2aQ0g0-g-RmVzbSh9C5rIYmoZM_Sg>
    <xme:-GvrX8411oN_QBUCoSiUPlMWkEPhsevFqnuq1Nb4iSTnDSDb4Xj92y7DIdrza6VnL
    s1Rxblv3G5KS6csKhg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrvddvuddguddtiecutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
    necuuegrihhlohhuthemuceftddtnecunecujfgurhepuffvfhfhkffffgggjggtsehgtd
    erofdtfeehnecuhfhrohhmpeevohhlihhnucftvggvuggvrhcuoegtohhlihhnsehvphii
    ohhmrdgtlhhitghkqeenucggtffrrghtthgvrhhnpeeffeejkeejhfdugeeggedvgeeuvd
    evvdejheevjedvjeehueegleeliedtveejveenucfkphepudeitddrfedruddrkedunecu
    vehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheptgholhhinh
    esvhhpiihomhdrtghlihgtkh
X-ME-Proxy: <xmx:-GvrX-dU1MtKggk3UOPuwUaKF-4GGi5_dPLSOe3uvMu3tlSbY7i43g>
    <xmx:-GvrX4Ich2mN3DATZR25L6zKcjnm53Or7-KB4Ram4xoAu8ah5TSeQw>
    <xmx:-GvrX7KzP5I_w_p1wKzUtNA91H6ITBGWIakvqyNTuwWJBBF9fh0LWQ>
    <xmx:-WvrXwUtxhsTnoMAG4JZSNaF6YMxPmC73vEqZv7hyZgSvjKTWpqgkA>
Received: from [192.168.0.21] (160-3-1-81.cpe.sparklight.net [160.3.1.81])
	by mail.messagingengine.com (Postfix) with ESMTPA id 6C3FD240057
	for <~vpzom/lotide@lists.sr.ht>; Tue, 29 Dec 2020 12:48:40 -0500 (EST)
Subject: Re: [Bug hitide]: Rendering HTML from remote?
To: ~vpzom/lotide@lists.sr.ht
References: <11664220.O9o76ZdvQC@hoshi>
From: Colin Reeder <colin@vpzom.click>
Autocrypt: addr=colin@vpzom.click;
 keydata= mQENBFiGT0cBCADB5jVX+UtZ4ZPCHJxgFKnNAl2oD1AHPlpHNd/12lUVGG+dC0nFiyFUAu58
 rDV0AfOYGq9WG7tm9dgzG6N7gD7EAbIrNPWBFovD3Q0IgPINaoKGRb59S4giDTP3pGknIc/8
 omvVH2ZKAy7wJ9G04H/C26zur4j0/RBPG9ZeZYdJ216nHNxG3RFwtWhY5xZC54FEt3mG97O6
 MmgjtsVgzBaQnqr8R9ePwdkW+cx6YBRBMZhcxHhMhkDZ1+QxFANAtSQ4/E/mEuz/ReAyRxGG
 L5pJ5JGcirMSeDGbbNZdi/OhbB53nPnfQ+XTCEOYE+bqAQTdQTOAspTePBeghVRbNpo1ABEB
 AAG0IENvbGluIFJlZWRlciA8Y29saW5AdnB6b20uY2xpY2s+iQFOBBMBCAA4FiEE9D2cUxKh
 BJqPLq7pX3iH59FTxdIFAlwez2sCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQX3iH
 59FTxdLNcwgApfqT1kuJdeCpqy5liGOCy7AMmevEoBXfRhuHkDLtR0GhUMRvAJ1QAFBvGMbw
 rlLHYqZDo/QPU5piiYAtqsrJP1TvOLsIHKwLUtSwkPFN0P0ow3KF5oIwaiiVi7gru1wEZSsQ
 FxkTf8C6qFQee4tpn12BrJbqBbur2wYdbAMHBnQ/siF/cwB15uIDoJavmWdbYiHDVJN5/3HE
 SOnMnY6GU2ZoI0nHVHHuh97pxic8wa5LTnKc+Rf2YYuSUDRCjGfozhqhiTfcX5Mw+SsnLcG+
 GZKp9E1LZM82egUJve9PTBjHkhDsdVCXb8/u4LaGJPq8+wqdYzlLbE3QbgSAhYioM7kBDQRY
 hk9HAQgAtg5ydByoMQyWXTBXagt55IjWCxt7eEQGJ/RNOrIcmEKztXRd4dvG/fGU2qc08P70
 ZA/fEv12jaazCwj+i0s8lT8vHvLrg6n0CHnsusWgGWgnWWc0wZsfEvz86JuiTGnZLj5hX+6s
 Od13xkYfwKtEk74V4SDIraMDHipfVC2Xy1gVP+rNeu0ZfY8iXKvgv2HFsEFOsGs0/UBDyhgL
 RYJD0AHQ/tPwdb11Zw3ICNi2i0Yw3q8xVvvA2iYLtuQ99Bd2SEk709Szp4xXbbxFlmTlzNaw
 +YQiSB7ZVjVxaRQe8amTlEUZzf0qJk9N6u6gphCEXMaFoBRoEeztARj9nhefoQARAQABiQE2
 BBgBCAAgFiEE9D2cUxKhBJqPLq7pX3iH59FTxdIFAliGT0cCGwwACgkQX3iH59FTxdL7swgA
 uiMpH+EROHbL9/N/Gf1pGbO5y90Bqcd4Xa/nRzv1a2VP/HGmahZOEepQPnwj8jkuEjl/7Cki
 ktVPQ9u71v9rwHdfn7Plg2F1H56lFutzehgFWYSibfHAL9a5ffnq6HnI2BbT8q/o+KX1ckMY
 J8OKKx3uVTlUYuj3/MtWl3y/8cBpo84RFybqDdJDyMiKUrVuFMJFsGd8idHPv46wYnTSBzJR
 jN+pwbEMphSKsQwWqxbvOhl2Wy6TgYCaQXXURmt9fb21kKEvjg+rcHTprAqQKrWbm5fD5So1
 vJzn3cI7wDsQjBfDxdE6tlzphp3lP0QZDc9xHTYBBgvun6uNQplIsQ==
Message-ID: <e156957e-4190-5f4c-aa12-b271b53c58f6@vpzom.click>
Date: Tue, 29 Dec 2020 10:48:37 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <11664220.O9o76ZdvQC@hoshi>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="QpkF9z32iNHy3PeXoFfTYSsB8R9GdZLFo"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--QpkF9z32iNHy3PeXoFfTYSsB8R9GdZLFo
Content-Type: multipart/mixed; boundary="liqWNoFdJbOp7K5xjOlGCLrke6ts8kMz9"

--liqWNoFdJbOp7K5xjOlGCLrke6ts8kMz9
Content-Type: text/plain; charset=windows-1252
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

We certainly can't just embed untrusted HTML, but this is the same
situation as post content, which lotide sanitizes with ammonia before
returning in the API. Probably should do the same with user descriptions
and then it would be okay to render them


--liqWNoFdJbOp7K5xjOlGCLrke6ts8kMz9--

--QpkF9z32iNHy3PeXoFfTYSsB8R9GdZLFo
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE9D2cUxKhBJqPLq7pX3iH59FTxdIFAl/ra/UACgkQX3iH59FT
xdJYnAf/SVnvUp7Uruk/nLxZWzUEZg+ydpmjNrvvBfFybctIbvH2KNi2bnRnL9Zb
vOWGaFxcJyhtFfZgCVR7WAKB0E6Tupy4t+K0+xibRmdCwrm7Oqq8vl25eHYh3Yip
BABqUYENz3Kam8DPmh9eItNe+hPZaJtpmCKZYVKMtOZipzFq4EiNNOTBYOycludj
VFFEe3NRWEseX9S/PZZqnUHdscwGqqfrLcDCHjSY76efM2/9KkQbgLFXMOIYe7tO
AhN08rWJe5VUS5y9QpklJWprVC+i/ZOEHmsKdnfHbcQp0n+4d989yr6i8Mj03vXo
UlitkvN/533PkjnnuGsGGkA+e/X8IA==
=4RRD
-----END PGP SIGNATURE-----

--QpkF9z32iNHy3PeXoFfTYSsB8R9GdZLFo--