[Zope] Malicious HTML in (Squishdot) postings

[Tres Seaver]

Squishdot <squishdot@yahoo.com> wrote

> Hi all,
> 
> CERT has issued a security advisory regarding improperly checked output from dynamic
> pages.
> 
> The CERT advisory can be found at:
> 
>             http://www.cert.org/advisories/CA-2000-02.html.
> 
> Unfortunately, Squishdot is vulnerable to such problems. However, I (and others in the Zope
> community) am trying to find a permanent solution to this. Of course, your help is also
> welcome (code patches accepted :^))
> 
> While each site (e.g. depending on the audience, accessibility, amount of traffic) is vulnerable
> in varying degrees to these types of problems,  I would urge each administrator to evaluate
> their own security policies regarding these problems and take steps appropriate for their own
> circumstances.
> 
> In the meantime -- temporarily -- the  best way to deal with the problem is to turn moderation
> on for everything, and then properly check each posting manually.
> 
> Regards,
> 
> Butch

What we need is a handy-dandy-clean-up-user-submitted-HTM-to-take-home-to-Mama
function, coded in Python.  It would need to strip out / quote ANY "unapproved"
tags (for structured text, would it be enough just to quote "&", "<", and
">"?).  The list of allowable tags might be passed in as a list, but a first cut
could just hardcode "[ 'em', 'strong', 'ul', 'ol', 'li', 'dl', 'dt', 'dd' ]" (or
whatever) and be fine.

Anyone feel inspired to write it?

-- 
=========================================================
Tres Seaver         tseaver@palladion.com    713-523-6582
Palladion Software  http://www.palladion.com