anomy-list

Re: Re: Style tags without HTML comments

From: Dave Cridland (27902@xyz.molar.is)
Date: Thu 03 Jan 2002 - 19:41:34 UTC

  • Next message: Dave Cridland: "Re: LMTP level filtering helper script"

    On Thu, 2002-01-03 at 13:02, Bjarni R. Einarsson wrote:
    > On 2002-01-03, 13:49:20 (+0200), Andrew wrote:
    > > First prize: Even neater would be to eliminate each of the many
    > > possibilities for abuse in style tags ... but there are probably
    > > others:
    > > expression
    > > type=text/javascript
    >
    > Not likely to happen. That sort of strategy never "fails safely".

    Agreed - it's like the difference between firewalls which attempt to
    block out any "naughty" stuff, and allow through anything else, and
    firewalls which block out everything, and then let in the "nice" stuff.

    Ask any security expert you like which they'd rather use. :-)

    > The Right Way To Do It (tm) is to enhance the sanitizer to
    > recognize as many "safe" styles as possible, and allowing them to
    > pass through unchanged. Some primitive preliminary work has
    > already been done (very ugly regexps in the $attribute_rules table
    > in HTMLCleaner.pm), but there's lots of room for improvement.

    I imagine that we can just draw a list of style attributes out of the
    CSS specs - aren't all the expression (etc) tags extensions?

    Then we just parse the style sheet and use it safely.

    Which remind me - does the sanitizer cope with <LINK>ed stylesheets
    referring to other MIME parts? (cid or whichever scheme URL it is?)

    > Help?

    Certainly, when I've finished wrapping 1.45 into the LMTP evil-nasty
    thing.

    Dave.



    hosted by molar.is