[Zope] CERT -- Malicious HTML Tags

Jules zope@jules.com
Thu, 3 Feb 2000 10:31:07 -0500


On Wed, Feb 02, 2000 at 04:56:07PM -0600, Tres Seaver wrote:
|The key issue lies in embedding <SCRIPT>...</SCRIPT> chunks (or their immoral
|equivalents, <OBJECT>, <EMBED>, and <APPLET>).  Consider, for instance, those
|nasty pop-up windows launched by some "free" webspace providers;  then consider
|what happens in Squishdot, ZGotW, or any other site which permits users to enter
|arbitrary HTML as part of the feedback/collaboration process.  Not a pretty
|scene!

Hmmm... I wonder if a global replace of all <script .*> with &lt;script
.*&gt; before a commit might work in the short term? Or just whack
everything between script tags (and optionally alert a human via email
or log).

My sites have only allowed <b> and <i> tags in text and textarea for
the longest time and strip everything else out. I've accidentally
protected myself for once! Hoo hoo!

Cheers,
Jules