anomy-bugs

Anomy HTML Cleaner 1.17 security bug

From: Paul Wallingford (20516@xyz.molar.is)
Date: Thu 16 Jan 2003 - 11:56:10 GMT

  • Next message: Rolan Yang: ""Can't use an undefined value as a symbol reference" problem resolved."

    Hello,

    I have identified the following bug in the HTML Cleaner version 1.17

    If a <NL> appears just after the equal sign in an attribute and no space
    is before the equal sign, then Anomy fails to defang that piece.

    Example: data is exactly as passed to Anomy, including all line
    breaks. Notice # 4 does not get properly defanged.

    Input data --

    1) <img src="http://www.yahoo.com/image.jpg">
    2) <img
    src="http://www.yahoo.com/image.jpg">
    3) <img src
    ="http://www.yahoo.com/image.jpg">
    4) <img src=
    "http://www.yahoo.com/image.jpg">
    5) <img src="http://www.yahoo.com/image.jpg">
    6) <img src="http://www.yahoo.com/image.jpg"
    >
    7) <img src = "http://www.yahoo.com/image.jpg">
    8) <img src =
    "http://www.yahoo.com/image.jpg">

    Output data --

    1) <img DEFANGED_src="http://www.yahoo.com/image.jpg">
    2) <img
    DEFANGED_src="http://www.yahoo.com/image.jpg">
    3) <img DEFANGED_src
    ="http://www.yahoo.com/image.jpg">
    4) <img src=
    "http://www.yahoo.com/image.jpg">
    5) <img DEFANGED_src="http://www.yahoo.com/image.jpg">
    6) <img DEFANGED_src="http://www.yahoo.com/image.jpg"
    >
    7) <img DEFANGED_src = "http://www.yahoo.com/image.jpg">
    8) <img DEFANGED_src =
    "http://www.yahoo.com/image.jpg">



    hosted by molar.is