Re: Defanging <STYLE>

From: Bjarni R. Einarsson (
Date: Wed 07 May 2003 - 00:11:36 GMT

  • Next message: admin@system.mail: "邮件投递超时错误"

    On 2003-05-07, 01:45:58 (+0200), David Santinoli wrote:
    > There seems to be no previous mention whatsoever of my specific case in
    > the archives, which puzzles me: am I really the first one to notice
    > this gross misbehaviour (maybe due to its neglectable impact on rendered
    > content in most cases) or am I missing something?

    Yes. :-) It's not a bug, it's a feature.

    When the HTML cleaner was written I didn't have the skills or
    resources to appraise the security implications of CSS styles, so
    I defanged them.

    As it turned out, CSS styles can be abused as part of a security
    attack. What's missing from the HTML cleaner is a CSS parser
    which will recognize and allow certain CSS elements, while
    defanging others, depending on their security implications.

    I haven't had time to write such a beast yet though, so for now
    STYLE blocks are defanged completely.

    Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89                -><-    

    Check out my open-source email sanitizer: Spammers, please send lots of mail to:

    Was I helpful? Let others know:

    hosted by