anomy-list

Style tags without HTML comments

From: Andrew (27658@xyz.molar.is)
Date: Thu 03 Jan 2002 - 11:49:20 UTC

  • Next message: Bjarni R. Einarsson: "Re: Style tags without HTML comments"

    Hello all

    The sanitizer (v 1.45) correctly defangs STYLE tags in HTML mail,
    but if the composer omitted the comments <!-- .. --> inside the
    STYLE tags, then the innards of the style tag are visible when
    the message is displayed. This happens quite regularly.

    Microsoft Outlook Express 5.00.2919.6600 using MimeOLE
    V5.00.2919.6600 produces style tags like this (verbiage snipped):

    <STYLE type=3Dtext/css>
    .stbtm { BACKGROUND-COLOR: #cecbde; }
    .stedit { BACKGROUND-COLOR: #484c68; }
    </STYLE>

    The defanged output is this:

    <DEFANGED_STYLE type=3Dtext/css>
    .stbtm { BACKGROUND-COLOR: #cecbde; }
    .stedit { BACKGROUND-COLOR: #484c68; }
    </DEFANGED_STYLE>

    This is rendered as visible text, which is rather ugly (and would
    be rather ugly in browers without style sheets too).

    Second prize: It looks like quite a challenge to modify the code
    to correct for this ms error -- replace <STYLE>...</STYLE> with
    <DEFANGED_STYLE><!-- ... --></STYLE> (unless there was a comment
    there already...) (sigh).

    Third prize: An alternative approach to style tags would be to
    disable the style by mangling the elements declared in the style
    tag so that these never get referenced (e.g. .stbtm is rewritten
    as .stbtmDEFANGED).

    First prize: Even neater would be to eliminate each of the many
    possibilities for abuse in style tags ... but there are probably
    others:
            expression
            type=text/javascript

    &:-)



    hosted by molar.is