[imp] Mail.app mail forwarding issue w/ 4.2RC3 / HEAD
Chuck Hagenbuch
chuck at horde.org
Mon Apr 7 18:21:18 UTC 2008
Please keep discussions on the lists.
Quoting Ziba Scott <ziba at umich.edu>:
> Maybe it would be better to just strip out the tags themselves (but not
> everything outside of the tags). I don't see much value in keeping
> commented out html around:
>
> $patterns['/(<body[^>]*>|<html[^>]*>)/si'] = '';
> $patterns['/(<\/(body|html)>)/si'] = '';
That seems better to me.
> Stripping only the tags versus stripping the tags and outside of the
> tags doesn't give the attacker any new opportunities. In the current
> system, the attacker just has to put their evil inside the html tags and
> it will not be removed.
Well, assuming it's not caught by anything else, but yes. My concern
was not copying over attributes from html/body tags into comments.
> Can you elaborate on what you would like to see from me to be
> comfortable including an xss filter change?
If you look in framework/Text_Filter/tests/, there are a number of xss
tests (all run by xss.phpt, I believe). Making sure that all of those
still pass, and possibly adding some new tests that ensure that
malicious code broken up into multiple <html> or <body> tags is still
escape, would be the minimum.
Thanks,
-chuck
--
"I have concerns that we are not behaving like a mature, responsible,
collection of interdependent organisms." - Rick O.
More information about the imp
mailing list