Re: Defanging <STYLE>

From: Will Day (
Date: Wed 14 May 2003 - 19:49:27 GMT

  • Next message: szucs: "Re: Worms in zip attachments!"

    A short time ago, at a computer terminal not so far away, Bjarni R. Einarsson wrote:
    >> I'm just pointing out that IMO the sequence
    >> <style></style>
    >> should be translated into
    >> <DEFANGED_style_0></DEFANGED_style_0>
    >> and not into
    >> <DEFANGED_style_0 </style>
    >> (note the missing '>' in the first tag, and the two tags' mismatch; this
    >> is the "gross misbehaviour" I was referring to in my previous mail).
    >> How dare you call this a feature? :-)
    >Well, it is. The fact is, the syntax of the <style> tag is dumb.
    >Most HTML tags are implemented in such a way that a if they aren't
    >recognized, then they are simply ignored.
    >But if you convert
    > <style> css bla bla bla </style>
    > <defanged> css bla bla bla </defanged>
    >then the poor recipient is going to *see* "css bla bla bla" as part
    >of the message text. That's why the defanging for style tags is
    >different from defanging of other tags - to hide the disabled CSS
    >"gibbrish" from the user.

    It looks like the intention of the code is to turn the "css bla" into an
    argument for the <defanged> tag -- but to still properly close off the tag.

    That is:
       <DEFANGED_style asdf></DEFANGED_style>

    However, there indeed appears to be a different behavior if another tag
    appears right after the style tag - the output ends up missing a close

    In the case I observed, there were comments:
       <style><!-- asdf --></style>
    which becomes:
       <DEFANGED_style_0 <!-- asdf --></DEFANGED_style>

    Note the missing of a '>', as well as the presence of "_0", which the
    earlier example did not have.

    And, whereas some clients don't seem to mind the missing '>', others
    apparently count all their '<' and '>' and try to match them up precisely,
    and in the second example, something like Mac Eudora appears to interpret
    the entire rest of the message as the contents of the "DEFANGED_style_0"
    tag, and doesn't render anything.

    Will Day                  Those who would give up essential Liberty, to       purchase a little temporary Safety, deserve neither 
    Georgia Tech / OIT        Liberty nor Safety.
    UNIX System Programmer      - Benjamin Franklin, Penn. Assembly, Nov. 11, 1755
      -> Opinions expressed are mine alone and do not reflect OIT policy <-

    Attachments: +

    hosted by