----- Original Message ----- From: Squishdot <squishdot@yahoo.com>
tres seaver <tseave-@palladion.com> wrote:
The key issue lies in embedding <SCRIPT>...</SCRIPT> chunks (or their immoral equivalents, <OBJECT>, <EMBED>, and <APPLET>).
Yes, I've been reading up on it as well. I'll be studying this issue as well WRT to Squishdot. I would probably need to add some validation to Squishdot to filter out these *malicious tags* -- if anyone in the Zope/Squishdot has ideas/code to fix this, please contact me ASAP.
Slashdot.org has had to deal with this issue for quite some time, and is high-profile enough to attract many *cough* security testers *cough*. They forbid anything not on a short list of harmless tags. IMNSHO this is a far better approach than trying to keep a list of dangerous tags, since it is conservative; If you miss one, or a new tag is added to the HTML standard and turns out to be a security risk, you aren't vulnerable by default. Consider also that if you are running a squishdot or similar contributed-content site you probably want to "defend" against invalid HTML. An unclosed <b> or <table> can ruin a page, or even render it invisible on some browsers. What would an embedded </body> do to a discussion? Unless you want to live with *really* minimal markup, the best approach is probably to run contributed text through a full parser. Since xmllib comes with Python, it's a candidate, although I'm not sure if it would force you to require XHTML (stuff like <img src=... />). I may take a swipe at this. Cheers, Evan @ 4-am