[Zope] CERT -- Malicious HTML Tags

Christopher Petrilli petrilli@digicool.com
Thu, 03 Feb 2000 10:06:26 -0500


On 2/3/00 2:05 AM, Evan Simpson at evan@4-am.com wrote:

> ----- Original Message -----
> From: Christopher Petrilli <petrilli@digicool.com>
>> Evan mentioned XML-based, but I think that's a bit heavy, unless it's
> sgmlop
>> based, perhaps?  Other ideas? I like the idea of a minimal set of tags (A,
>> B, I, EM, BR, P, UL, OL, LI perhaps?) that are allowed, all else is
>> verbotten... any other scheme is a "bad thing" :-)
> 
> Having now read the advisory and the slashdot discussion which followed, I
> now see that you have to be a little more draconian than this, even.  You
> need to make sure that those tags are *really* bare (no
> onAnything="javascript:argh") and take special care with anchor hrefs.

Sadly, I thought of this after sending the post, but didn't feel like
getting but back side out of bed to send an extension ;-)  I don't think
that it's too difficult a problem, *IF* you approach it as "that which is
not explicitly allowed is forbidden," which all good security models should
use.

> Whether sgml or xml-based, parsing shouldn't be too much of a burden unless
> you get a *lot* of content submitted.  You only need to do it once per
> submission, after all, and only if it contains '<>&'s.

I believe I read that you also need to do an entity-reference expansion
because of brain damage in some browsers.  Did I misread this?

> Happily, the default Zope error page doesn't seem to have the 404 exploit
> exposed on slashdot.

It's that time-machine thing :-)

Chris
-- 
| Christopher Petrilli        Python Powered        Digital Creations, Inc.
| petrilli@digicool.com                             http://www.digicool.com