Re: Why do you need to defang META ??

From: Bjarni R. Einarsson (
Date: Tue 21 Aug 2001 - 13:52:18 UTC

  • Next message: Bjarni R. Einarsson: "Announcing, revision 1.42"

    On 2001-08-21, 09:42:15 (-0400), Jim Rosenberg wrote:
    > Hello, sorry to pester you directly, but I posted a message about this to
    > anomy-list many moons ago and never saw an answer.

    Ah, sorry about that.

    > What exactly is the risk with the HTML META tag that makes you defang it? I

    The first thing that comes to mind is the meta-refresh command, which
    can be used to trick the recipient's client into loading a new page,
    thus facilitating cross-site scripting attacks, cookie abuse, web bugs
    and so on. There are META sub-types which /may/ be harmless, but since
    at the moment the sanitizer works on a per-tag basis, it'll need more
    code to let them through.

    > find this causes the sanitizer to go off on practically *every* HTML E-mail
    > message, with the result that my users never bother to look at the
    > sanitizer.log attachment. Is it really that dangerous? Could this be
    > governed by a policy in the config file?

    The next release (which I'm sitting on as I iron out some bugs in new
    code) allows people to specify their own blacklisted tag list in the
    configuration file. People who feel the META tag poses little risk can
    simply remove it from the list.

    I aim to improve the HTML defanger within the next weeks/months so it is
    more intelligent about things like this, for exactly the reasons you
    describe - crying wolf has problems of it's own.

    Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89                -><-    

    Check out my open-source email sanitizer:

    hosted by