Earl Hood wrote:
On December 27, 2002 at 01:33, Gunnar Hjalmarsson wrote:
Okay... Since I couldn't re-open the bug, let me make a new try here.
How about:
$$data =~ s/([^\?&;]$UAttr\s*=\s*)([^\s'">][^\s>]+)
-----------------^^^^^^^
Of course, such change would have to be applied to the two previous
expressions as well.
The purpose with the suggestion was to allow certain query strings, and
query strings do typically not include quote characters, so I don't
think that would have been necessary.
Unfortunately, this allows markup to get through that would
be normally stripped. Take the following tricky mail message:
Content-Type: multipart/mixed; boundary="XXXXX"
--XXXXX
Content-Type: text/html
<img
--XXXXX
Content-Type: text/html
src="http://www.mhonarc.org/MHonArc/logo/mhastampw_t.png";>
--XXXXX--
The final HTML message page will contain the following:
<img src="http://www.mhonarc.org/MHonArc/logo/mhastampw_t.png";>
I.e. An auto-loaded URL got by the filtering.
I tested the above, and it got by the filtering also with the original
code. Would suggest that you take a closer look at it.
I am reluctant to loosen up the filtering code at this time due to
XSS issues since I am not confident that any kind of loosening cannot
be exploited
Okay, I respect that, and I admit that the example I posted in the bug
isn't very common... I'll refrain from further suggestions for a while. ;-)
/ Gunnar
---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV
![http://www.mhonarc.org/MHonArc/logo/mhastampw_t.png"](http://www.mhonarc.org/MHonArc/logo/mhastampw_t.png"){kind=link}