anomy-list

Re: Defanging <STYLE>

From: Bjarni R. Einarsson (76558@xyz.molar.is)
Date: Wed 07 May 2003 - 13:03:40 GMT

  • Next message: Bjarni R. Einarsson: "Announcing santizer.pl, revision 1.58"

    On 2003-05-07, 10:26:50 (+0200), David Santinoli wrote:
    >
    > Don't get me wrong, I'm not criticizing the concept of defanging STYLE.
    > I'm just pointing out that IMO the sequence
    >
    > <style></style>
    >
    > should be translated into
    >
    > <DEFANGED_style_0></DEFANGED_style_0>
    >
    > and not into
    >
    > <DEFANGED_style_0 </style>
    >
    > (note the missing '>' in the first tag, and the two tags' mismatch; this
    > is the "gross misbehaviour" I was referring to in my previous mail).
    > How dare you call this a feature? :-)

    Well, it is. The fact is, the syntax of the <style> tag is dumb.
    Most HTML tags are implemented in such a way that a if they aren't
    recognized, then they are simply ignored.

    But if you convert

       <style> css bla bla bla </style>
       
    to

       <defanged> css bla bla bla </defanged>

    then the poor recipient is going to *see* "css bla bla bla" as part
    of the message text. That's why the defanging for style tags is
    different from defanging of other tags - to hide the disabled CSS
    "gibbrish" from the user.

    -- 
    Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
     76558@xyz.molar.is                -><-              http://bre.klaki.net/
    

    Check out my open-source email sanitizer: http://mailtools.anomy.net/ Spammers, please send lots of mail to: 76675@xyz.molar.is

    Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=Juggler



    hosted by molar.is