[Bug #373] Non-HTML data looking like URLs can be modified.

2002-05-09 22:19:36
=================== Bug #373: Full Bug Snapshot ===================

Submitted by: ehood                     Project: MHonArc                        
Submitted on: 2002-May-10 00:18
Category:  MIME Filter                  Severity:  1 - Ordinary                 
Bug Group:  Undesired Behavior          Resolution:  None                       
Assigned to:  ehood                     Status:  Open                           
Platform Version:  All                  Effort:  0.00                           
Component Version:                      Fixed Release:                          

Summary:  Non-HTML data looking like URLs can be modified.

Original Submission:  Non-HTML tag data that matches image/auto-loaded 
attribute strings (e.g: src="...") can be modified during CID url resolution or 
URL rewriting during base href resolution within the filter.

A complete solution would require full HTML parsing, but this would incur a 
performance penalty. The current set of regular expressions are intended to 
deal with security issues but minimize any performance penalties. Unclear if 
existing html filter should be modified or a separate, more robust filter, can 
be created, and allow users to choose which one they want. Contributors welcome 
for developing a robust HTML filter.

No Followups Have Been Posted

For detailed info, follow this link:

<Prev in Thread] Current Thread [Next in Thread>
  • [Bug #373] Non-HTML data looking like URLs can be modified., nobody <=