[imp] Mail.app mail forwarding issue w/ 4.2RC3 / HEAD
Chuck Hagenbuch
chuck at horde.org
Mon Apr 7 17:27:40 UTC 2008
>> I'm unclear on the benefit of stripping everything outside of the html
>> tags if you've already commented them out. Making this change shouldn't
>> allow a malicious user to get anything into the message that they
>> couldn't otherwise.
>>
>> Here's a small patch with my proposed changes:
>>
>> RCS file: /repository/framework/Text_Filter/Filter/xss.php,v
>> retrieving revision 1.12
>> diff -r1.12 xss.php
>> 75,76c75,76
>> < $patterns['/.*<(body|html)[^>]*>/si'] = '';
>> < $patterns['/<\/(body|html)>.*/si'] = '';
>> ---
>>> $patterns['/(<body[^>]*>|<html[^>]*>)/si'] = '<!--\1--!>';
>>> $patterns['/(<\/(body|html)>)/si'] = '<!--\1--!>';
For the record, I am opposed to this unless you can supply a test
suite that assures us (as it's probably impossible to prove) that this
CANNOT result in injecting something that gets out of those comments.
Including any attributes on the body or html tags in the comment, in
particular, seems VERY exploitable to me.
And I'm probably against this for 3.2 anyway since I don't want to
take a chance of introducing a regression in our XSS filters.
-chuck
--
"I have concerns that we are not behaving like a mature, responsible,
collection of interdependent organisms." - Rick O.
More information about the imp
mailing list