Re: [Bug #2051] Query string including 'action=' not handled properly

2002-12-28 11:37:07
On December 27, 2002 at 01:33, Gunnar Hjalmarsson wrote:

Okay...  Since I couldn't re-open the bug, let me make a new try here. 
How about:

     $$data =~ s/([^\?&;]$UAttr\s*=\s*)([^\s'">][^\s>]+)

Of course, such change would have to be applied to the two previous
expressions as well.

Unfortunately, this allows markup to get through that would
be normally stripped.  Take the following tricky mail message:

  Content-Type: multipart/mixed; boundary="XXXXX"

  Content-Type: text/html

  Content-Type: text/html


The final HTML message page will contain the following:

  <img src="";>

I.e. An auto-loaded URL got by the filtering.  Now, stripping any
unclosed open tag at the end of an HTML part and stripping any partial
tag at the start of an HTML part could prevent this (an possibly
related) exploits.

To avoid any possible XSS exploits by "loosening" the existing
filtering code, parsing the HTML tags themselves would be needed, and
then tested, which would add extra processing overhead.

I am reluctant to loosen up the filtering code at this time due to
XSS issues since I am not confident that any kind of loosening cannot
be exploited (even if I or you cannot see any potential exploits,
someone else might).

It is not on my priority list to develop a more intelligent HTML
filter, however, contributions are welcome.


To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the