[Zope] CERT -- Malicious HTML Tags
Christopher Petrilli
petrilli@digicool.com
Thu, 03 Feb 2000 01:40:45 -0500
On 2/2/00 5:56 PM, Tres Seaver at tseaver@palladion.com wrote:
>
> Anyone care to comment on Zope's vunlerability here? For instance, the ZGotW
> site allows submissions in structured text, plain text, and HTML -- but now I
> am
> probably going to htmlquote() the last, which kills a lot of the point of it,
> no?
From my reading, the reality is that it's not a vulnerability in any
specific server, but a design flaw in applications built on them. Having
said that, it is perhaps desirable for Zope to provide a "cleansing"
mechanism that removes tags not allowed (i.e. you give it a list of
disallowed, or allowed tags, and it does th "right thing").
So having said that, there's really nothing Zope can do that is not
application specific, besides providing some "validation" code that can be
called as appropriate. Hopefully people understand this is a design flaw in
applications.
Evan mentioned XML-based, but I think that's a bit heavy, unless it's sgmlop
based, perhaps? Other ideas? I like the idea of a minimal set of tags (A,
B, I, EM, BR, P, UL, OL, LI perhaps?) that are allowed, all else is
verbotten... any other scheme is a "bad thing" :-)
Chris
--
| Christopher Petrilli Python Powered Digital Creations, Inc.
| petrilli@digicool.com http://www.digicool.com