On 2/3/00 2:05 AM, Evan Simpson at evan@4-am.com wrote:
----- Original Message ----- From: Christopher Petrilli <petrilli@digicool.com>
Evan mentioned XML-based, but I think that's a bit heavy, unless it's sgmlop based, perhaps? Other ideas? I like the idea of a minimal set of tags (A, B, I, EM, BR, P, UL, OL, LI perhaps?) that are allowed, all else is verbotten... any other scheme is a "bad thing" :-)
Having now read the advisory and the slashdot discussion which followed, I now see that you have to be a little more draconian than this, even. You need to make sure that those tags are *really* bare (no onAnything="javascript:argh") and take special care with anchor hrefs.
Sadly, I thought of this after sending the post, but didn't feel like getting but back side out of bed to send an extension ;-) I don't think that it's too difficult a problem, *IF* you approach it as "that which is not explicitly allowed is forbidden," which all good security models should use.
Whether sgml or xml-based, parsing shouldn't be too much of a burden unless you get a *lot* of content submitted. You only need to do it once per submission, after all, and only if it contains '<>&'s.
I believe I read that you also need to do an entity-reference expansion because of brain damage in some browsers. Did I misread this?
Happily, the default Zope error page doesn't seem to have the 404 exploit exposed on slashdot.
It's that time-machine thing :-) Chris -- | Christopher Petrilli Python Powered Digital Creations, Inc. | petrilli@digicool.com http://www.digicool.com