mhonarc-commits
[Top] [All Lists]
<prev [Date] next>
[Advanced]

CVS: mhonarc/MHonArc/lib mhamain.pl,2.50,2.50.2.1 mhtxthtml.pl,2.22,2.22.2.1

2002-12-21 17:44:05
from [Earl Hood <earl(_at_)earlhood(_dot_)com>] [Permanent Link] 
Update of /cvsroot/mhonarc/mhonarc/MHonArc/lib
In directory subversions:/tmp/cvs-serv10529/lib

Modified Files:
      Tag: v2-5-13-sp
	mhamain.pl mhtxthtml.pl 
Log Message:
* XSS Fix.


Index: mhamain.pl
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/lib/mhamain.pl,v
retrieving revision 2.50
retrieving revision 2.50.2.1
diff -C2 -r2.50 -r2.50.2.1
*** mhamain.pl	21 Oct 2002 17:02:06 -0000	2.50
--- mhamain.pl	22 Dec 2002 00:43:56 -0000	2.50.2.1
***************
*** 30,34 ****
  require 5;
  
! $VERSION = '2.5.13';
  $VINFO =<<EndOfInfo;
    MHonArc v$VERSION (Perl $] $^O)
--- 30,34 ----
  require 5;
  
! $VERSION = '2.5.14';
  $VINFO =<<EndOfInfo;
    MHonArc v$VERSION (Perl $] $^O)

Index: mhtxthtml.pl
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/lib/mhtxthtml.pl,v
retrieving revision 2.22
retrieving revision 2.22.2.1
diff -C2 -r2.22 -r2.22.2.1
*** mhtxthtml.pl	11 Oct 2002 01:57:53 -0000	2.22
--- mhtxthtml.pl	22 Dec 2002 00:43:56 -0000	2.22.2.1
***************
*** 151,178 ****
  
      ## Strip out certain elements/tags to support proper inclusion
-     $$data =~ s|<!doctype\s[^>]*>||io;
-     $$data =~ s|</?html\b[^>]*>||gio;
-     $$data =~ s|</?x-html\b[^>]*>||gio;
      $$data =~ s|<head\s*>[\s\S]*</head\s*>||io;
  
      ## Strip out <font> tags if requested
      if ($nofont) {
  	$$data =~ s|<style[^>]*>.*?</style\s*>||gios;
! 	$$data =~ s|</?font\b[^>]*>||gio;
      }
  
      ## Strip out scripting markup if requested
      if ($noscript) {
  	$$data =~ s|<script[^>]*>.*?</script\s*>||gios;
! 	$$data =~ s|<style[^>]*>.*?</style\s*>||gios  unless $nofont;
! 	$$data =~ s|$SAttr\s*=\s*"[^"]*"||gio; #"
! 	$$data =~ s|$SAttr\s*=\s*'[^']*'||gio; #'
! 	$$data =~ s|$SAttr\s*=\s*[^\s>]+||gio;
! 	$$data =~ s|</?$SElem[^>]*>||gio;
! 
! 	# just in-case, make sure all script tags are removed
  	1 while ($$data =~ s|</?script\b||gi);
  	# for netscape 4.x browsers
! 	$$data =~ s/(=\s*["']?\s*)\&\{/$1/g;
      }
  
--- 151,204 ----
  
      ## Strip out certain elements/tags to support proper inclusion
      $$data =~ s|<head\s*>[\s\S]*</head\s*>||io;
+     1 while ($$data =~ s|<!doctype\s[^>]*>||io);
+     1 while ($$data =~ s|</?html\b[^>]*>||gio);
+     1 while ($$data =~ s|</?x-html\b[^>]*>||gio);
+     1 while ($$data =~ s|</?meta\b[^>]*>||gio);
+     1 while ($$data =~ s|</?link\b[^>]*>||gio);
  
      ## Strip out <font> tags if requested
      if ($nofont) {
  	$$data =~ s|<style[^>]*>.*?</style\s*>||gios;
! 	1 while ($$data =~ s|</?font\b[^>]*>||gio);
!         1 while ($$data =~ s/\b(?:style|class)\s*=\s*"[^"]*"//gio);
! 	1 while ($$data =~ s/\b(?:style|class)\s*=\s*'[^']*'//gio);
! 	1 while ($$data =~ s/\b(?:style|class)\s*=\s*[^\s>]+//gio);
! 	1 while ($$data =~ s|</?style\b[^>]*>||gi);
! 
      }
  
      ## Strip out scripting markup if requested
      if ($noscript) {
+ 	# remove scripting elements and attributes
  	$$data =~ s|<script[^>]*>.*?</script\s*>||gios;
! 	unless ($nofont) {  # avoid dup work if style already stripped
! 	    $$data =~ s|<style[^>]*>.*?</style\s*>||gios;
! 	    1 while ($$data =~ s|</?style\b[^>]*>||gi);
! 	}
! 	1 while ($$data =~ s|$SAttr\s*=\s*"[^"]*"||gio); #"
! 	1 while ($$data =~ s|$SAttr\s*=\s*'[^']*'||gio); #'
! 	1 while ($$data =~ s|$SAttr\s*=\s*[^\s>]+||gio);
! 	1 while ($$data =~ s|</?$SElem[^>]*>||gio);
  	1 while ($$data =~ s|</?script\b||gi);
+ 
  	# for netscape 4.x browsers
! 	$$data =~ s/(=\s*["']?\s*)(?:\&\{)+/$1/g;
! 
! 	# Hopefully complete pattern to neutralize javascript:... URLs.
! 	# The pattern is ugly because we have to handle any combination
! 	# of regular chars and entity refs.
! 	$$data =~ s/\b(?:j|&\#(?:0*(?:74|106)|x0*(?:4a|6a))(?:;|(?![0-9])))
! 		      (?:a|&\#(?:0*(?:65|97)|x0*(?:41|61))(?:;|(?![0-9])))
! 		      (?:v|&\#(?:0*(?:86|118)|x0*(?:56|76))(?:;|(?![0-9])))
! 		      (?:a|&\#(?:0*(?:65|97)|x0*(?:41|61))(?:;|(?![0-9])))
! 		      (?:s|&\#(?:0*(?:83|115)|x0*(?:53|73))(?:;|(?![0-9])))
! 		      (?:c|&\#(?:0*(?:67|99)|x0*(?:43|63))(?:;|(?![0-9])))
! 		      (?:r|&\#(?:0*(?:82|114)|x0*(?:52|72))(?:;|(?![0-9])))
! 		      (?:i|&\#(?:0*(?:73|105)|x0*(?:49|69))(?:;|(?![0-9])))
! 		      (?:p|&\#(?:0*(?:80|112)|x0*(?:50|70))(?:;|(?![0-9])))
! 		      (?:t|&\#(?:0*(?:84|116)|x0*(?:54|74))(?:;|(?![0-9])))
! 		   /_javascript_/gix;
! 
      }
  
***************
*** 231,235 ****
  	}
      }
!     $$data =~ s|</?body[^>]*>||ig;
  
      ## Check for CID URLs (multipart/related HTML)
--- 257,261 ----
  	}
      }
!     1 while ($$data =~ s|</?body[^>]*>||ig);
  
      ## Check for CID URLs (multipart/related HTML)

---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV
[More with this subject...]
Previous by Date:  CVS: mhonarc/MHonArc CHANGES,1.84,1.84.2.1, Earl Hood <earl(_at_)earlhood(_dot_)com>
Next by Date:  CVS: mhonarc/MHonArc/lib mhtxthtml.pl,2.29,2.30, Earl Hood <earl(_at_)earlhood(_dot_)com>
Previous by Thread:  CVS: mhonarc/MHonArc CHANGES,1.84,1.84.2.1, Earl Hood <earl(_at_)earlhood(_dot_)com>
Next by Thread:  CVS: mhonarc/MHonArc/lib mhtxthtml.pl,2.29,2.30, Earl Hood <earl(_at_)earlhood(_dot_)com>
Indexes:  [Date] [Top] [All Lists]