[Zope] CERT -- Malicious HTML Tags
Christopher Petrilli
petrilli@digicool.com
Thu, 03 Feb 2000 10:06:26 -0500
On 2/3/00 2:05 AM, Evan Simpson at evan@4-am.com wrote:
> ----- Original Message -----
> From: Christopher Petrilli <petrilli@digicool.com>
>> Evan mentioned XML-based, but I think that's a bit heavy, unless it's
> sgmlop
>> based, perhaps? Other ideas? I like the idea of a minimal set of tags (A,
>> B, I, EM, BR, P, UL, OL, LI perhaps?) that are allowed, all else is
>> verbotten... any other scheme is a "bad thing" :-)
>
> Having now read the advisory and the slashdot discussion which followed, I
> now see that you have to be a little more draconian than this, even. You
> need to make sure that those tags are *really* bare (no
> onAnything="javascript:argh") and take special care with anchor hrefs.
Sadly, I thought of this after sending the post, but didn't feel like
getting but back side out of bed to send an extension ;-) I don't think
that it's too difficult a problem, *IF* you approach it as "that which is
not explicitly allowed is forbidden," which all good security models should
use.
> Whether sgml or xml-based, parsing shouldn't be too much of a burden unless
> you get a *lot* of content submitted. You only need to do it once per
> submission, after all, and only if it contains '<>&'s.
I believe I read that you also need to do an entity-reference expansion
because of brain damage in some browsers. Did I misread this?
> Happily, the default Zope error page doesn't seem to have the 404 exploit
> exposed on slashdot.
It's that time-machine thing :-)
Chris
--
| Christopher Petrilli Python Powered Digital Creations, Inc.
| petrilli@digicool.com http://www.digicool.com