I pulled all of this:
I pulled all of this:
removed that xss code, and now get
Invalid sender: ! Not adding email!
A copy of the message has been forwarded to the administrator.
Ignoring email - not authorized.
memory at end of e-mail processing:29819520
despite the sender being listed AND also the admin
Thank you mathew.weaver; doing explicitly what you suggested worked for me.
The new anti-xss code will also prevent messages with any of the following words within them from being processed:
as well as over 700 more.
So forget about telling someone to "manage their subscription" or mention biblical scripture in a message you want Postie to publish to your website.
I'm reverting to 1.4.3.
@robfelty - if you want to implement this type of functionality, it *really* needs to have a front-end option for us to disable it.
I just played around a bit. I'm using apple mail app, so that might have something to do with it.
While I removed both "base64" and "meta" it started working for me.
A security risk, but I've had any problems so far. And if I do, I'll address it then.
Thanks for the help of the community
What users should understand is that this is only a security risk *if* none of the existing options to prevent unauthorized content are used. You should be using a unique email address for the target address, and a specific authorized sender email address, or allowed SMTP servers or any of the other methods to ensure validity of the content before posting. If you're already doing that, then this "feature" will only introduce problems for legitimate messages - such as blacklisting common terms in the content or attachments.
I pulled lines 36-40 (commented them out with "//") and I was able to make posts again.
I also ended up commenting out antiXSS check code, mainly because i trust my sender authorization settings. But reason why antiXSS check causes problem is that it checks for usage of "meta" and "base64", both of which are frequently used for legit reasons. I hope plugin author finds some better way for handling antiXSS check.
I've only installed postie today and although it's showing emailed post titles ok, neither images nor text are being displayed.
My geekiness has its limits - I can't understand why emailing to WP is so hard when it was one of the few things Blogger did properly.
I ended up deleting and reinstalling the previous version 1.4.3 and now all works just fine. Seeking input from @http://profiles.wordpress.org/robfelty/ to address the XSS errors issue that comes with the latest version.
As a power user/blogger, trying to move stories from Google reader, via IFTTT to Postie and to my blog, I would be excited to hear that he's decided to monetize his project with a pro level at a Buffer type price (Awesome is $10/mo).
What say you Mr Felty?
I commented out the code. It's completely frivolous for me. All posts come in through a single-source email address tied to multiple broadcast only listservs (meaning I control the messaging at all levels). The risk of an XSS attack, at least for me, is essentially zero.
Commenting out did restore functionality.
1.4.5 has fixed this XSS issue
I just installed Postie for the first time and have been struggling with this issue. It is v1.4.5, so it is NOT fixed.
1.4.5 did fix some XSS issues, but clearly not all. 1.4.6 will be doing this differently.
This topic has been closed to new replies.