HTML defanging issues

From: Bjarni R. Einarsson (
Date: Fri 20 Sep 2002 - 10:41:20 GMT

  • Next message: Robert de Bath: "Re: HTML defanging issues"

    On 2002-09-18, 16:07:13 (+0200), Andrew wrote:
    > telnet Windows 2000 telnet attempts NTLM authentication (or at
    > least, it did). Network sniffs can can be fed to a
    > password cracking program.
    > about Don't know what this will be doing in mail, and
    > there's some scripting possibilities ..

    "about" is already on the list... I don't see the security implications
    of telnet though. How can offering a telnet link be dangerous?

    > And this?
    > opera Opera seems to support it's own kind of about
    > thingy you can do opera:cache - I don't know if
    > that's good for anything legitimate.

    That definately goes on the list.

    > BUT! why not just block everything that's not included with the
    > message (although that's quite bad too, come to think of it :)

     :-) That would have to be configurable...

    > On an unrelated note, I see that there are a few things that are
    > rumoured to be scriptable, some of which get past Anomy's
    > sanitizer -- particularly img dynsrc=xxx - selected from an old
    > bugtraq post ...

    Um, no, dynsrc= is handled just like src=, follows the same rules.
    Definately not scriptable in any recent versions of the Sanitizer.

    > <input type="image" dynsrc="javascript:[code]"> [IE]

    Already blocked.

    > <img src=&{[code]};> [N4]
    > <img src="mocha:[code]"> [N4]

    Fixed in CVS...

    > <img src="blah"onmouseover="[code]">
    > <img src="blah>" onmouseover="[code]">
    > &{[code]}; [N4]

    I'm gonna have to look into these... :-)

    I agree that the most worrying is the "blah>" exploit. That one
    indicates that my parser is broken, and could take some
    head-scratching to fix. Bugger.

    Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89                -><-    

    Check out my open-source email sanitizer: Spammers, please send plenty of email to:

    hosted by