On 2002-01-03, 13:49:20 (+0200), Andrew wrote:
> Hello all
>
> The sanitizer (v 1.45) correctly defangs STYLE tags in HTML mail,
> but if the composer omitted the comments <!-- .. --> inside the
> STYLE tags, then the innards of the style tag are visible when
> the message is displayed. This happens quite regularly.
Actually, there is already code in place in v1.45 to handle style
blocks and try to deal with this problem. It works quite well, as
long as the style blocks aren't too large (the threshold is around
4k in my local development code, I can't remember what it was in
the 1.45 release).
The reason it isn't working for you, is I didn't expect the style
tag to have any attributes...
> <STYLE type=3Dtext/css>
> .stbtm { BACKGROUND-COLOR: #cecbde; }
> .stedit { BACKGROUND-COLOR: #484c68; }
> </STYLE>
I expected <STYLE> ... </STYLE>.
I've fixed this in CVS, so expect the problem to go away in the next
release. :-)
> First prize: Even neater would be to eliminate each of the many
> possibilities for abuse in style tags ... but there are probably
> others:
> expression
> type=text/javascript
Not likely to happen. That sort of strategy never "fails safely".
The Right Way To Do It (tm) is to enhance the sanitizer to
recognize as many "safe" styles as possible, and allowing them to
pass through unchanged. Some primitive preliminary work has
already been done (very ugly regexps in the $attribute_rules table
in HTMLCleaner.pm), but there's lots of room for improvement.
Help?
-- Bjarni R. Einarsson PGP: 02764305, B7A3AB89 27746@xyz.molar.is -><- http://bre.klaki.net/Check out my open-source email sanitizer: http://mailtools.anomy.net/ Spammers, please send plenty of email to: 27867@xyz.molar.is