Re: Style tags without HTML comments

From: Bjarni R. Einarsson (
Date: Thu 03 Jan 2002 - 13:02:30 UTC

  • Next message: Dave Cridland: "Re: Re: Style tags without HTML comments"

    On 2002-01-03, 13:49:20 (+0200), Andrew wrote:
    > Hello all
    > The sanitizer (v 1.45) correctly defangs STYLE tags in HTML mail,
    > but if the composer omitted the comments <!-- .. --> inside the
    > STYLE tags, then the innards of the style tag are visible when
    > the message is displayed. This happens quite regularly.

    Actually, there is already code in place in v1.45 to handle style
    blocks and try to deal with this problem. It works quite well, as
    long as the style blocks aren't too large (the threshold is around
    4k in my local development code, I can't remember what it was in
    the 1.45 release).

    The reason it isn't working for you, is I didn't expect the style
    tag to have any attributes...

    > <STYLE type=3Dtext/css>
    > .stbtm { BACKGROUND-COLOR: #cecbde; }
    > .stedit { BACKGROUND-COLOR: #484c68; }
    > </STYLE>

    I expected <STYLE> ... </STYLE>.

    I've fixed this in CVS, so expect the problem to go away in the next
    release. :-)

    > First prize: Even neater would be to eliminate each of the many
    > possibilities for abuse in style tags ... but there are probably
    > others:
    > expression
    > type=text/javascript

    Not likely to happen. That sort of strategy never "fails safely".

    The Right Way To Do It (tm) is to enhance the sanitizer to
    recognize as many "safe" styles as possible, and allowing them to
    pass through unchanged. Some primitive preliminary work has
    already been done (very ugly regexps in the $attribute_rules table
    in, but there's lots of room for improvement.


    Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89                -><-    

    Check out my open-source email sanitizer: Spammers, please send plenty of email to:

    hosted by