anomy-bugs

Stylesheets

From: Paul Wallingford (28600@xyz.molar.is)
Date: Fri 24 Oct 2003 - 12:43:47 GMT

  • Next message: Kees Cook: "two patches"

    Anomy defangs the <style> and </style> tags. However, this leaves all
    the style text in between exposed and it renders on the user's screen.
    This can lead to a denial of service or possible a way for other
    malicious tags to sneak by (I have not tested this hypothesis yet since
    it is not the reason for my email).

    My question is: Is there any harm in letting the style tags through
    untouched? Is there a way to encode something malicious in the style
    section? Other than simple annoyances like same color text and
    background? Viruses? Exploits?



    hosted by molar.is