Re: [Bug #2051] Query string including 'action=' not handled properly

2002-12-28 16:22:29
Earl Hood wrote:

On December 27, 2002 at 01:33, Gunnar Hjalmarsson wrote:

Okay... Since I couldn't re-open the bug, let me make a new try here. How about:

    $$data =~ s/([^\?&;]$UAttr\s*=\s*)([^\s'">][^\s>]+)

Of course, such change would have to be applied to the two previous expressions as well.

The purpose with the suggestion was to allow certain query strings, and query strings do typically not include quote characters, so I don't think that would have been necessary.

Unfortunately, this allows markup to get through that would
be normally stripped.  Take the following tricky mail message:

  Content-Type: multipart/mixed; boundary="XXXXX"

  Content-Type: text/html

  Content-Type: text/html


The final HTML message page will contain the following:

  <img src="";>

I.e. An auto-loaded URL got by the filtering.

I tested the above, and it got by the filtering also with the original code. Would suggest that you take a closer look at it.

I am reluctant to loosen up the filtering code at this time due to
XSS issues since I am not confident that any kind of loosening cannot
be exploited

Okay, I respect that, and I admit that the example I posted in the bug isn't very common... I'll refrain from further suggestions for a while. ;-)

/ Gunnar

To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the