nms-cgi-devel

[Nms-cgi-devel] Re: [Nms-cgi-commits] CVS Commit guestbook.pl

[Nick C. <ni...@cl...>]

On Fri, Dec 14, 2001 at 04:19:25PM -0800, Nick Cleaton wrote:
>
> Modified Files:
> 	guestbook.pl 
> Log Message:
> Added a whitelist-based HTML filter to strip out unsafe constructs
> when $allow_html is 1
> 

This needs testing.  It limits HTML constructs to safe tags
with safe attributes, and untangles things like <b><i></b></i>.

It doesn't do anything about improper nesting order (as in
<i><table></table></i>) but I don't think it needs to in order
to be secure against malicious scripting constructs.  Since
it's already too long and too complicated, I'm not inclined to
add nesting order logic.

--
Nick

[Nms-cgi-devel] Re: [Nms-cgi-commits] CVS Commit guestbook.pl

[Nick C. <ni...@cl...>]

On Tue, Dec 18, 2001 at 02:21:13PM -0800, Nick Cleaton wrote:
> 
> Modified Files:
> 	guestbook.pl 
> Log Message:
> * minor HTML filter fixes
> * started on allowing the style attribute

Just allowing the color style so far.

> * added non-XHTML (but harmless) NOBR tag

Dave, is that OK ?

I added it because it was the one harmless tag that the filter
rejected when I pasted the front page of slashdot into the
guestbook.  We could just strip it out, or try to be clever
and strip it out but s/ /&nbsp;/g until </nobr>.

So, is munging the guestbook postings into truly valid XHTML
a priority, or are we happy with anything that's secure against
malicious scripting constructs ?

--
Nick

Re: [Nms-cgi-devel] Re: [Nms-cgi-commits] CVS Commit guestbook.pl

[Dave C. <da...@da...>]

On Tue, Dec 18, 2001 at 11:36:06PM +0000, Nick Cleaton (ni...@cl...) wrote:
> On Tue, Dec 18, 2001 at 02:21:13PM -0800, Nick Cleaton wrote:
> > 
> > Modified Files:
> > 	guestbook.pl 
> > Log Message:
> > * minor HTML filter fixes
> > * started on allowing the style attribute
> 
> Just allowing the color style so far.
> 
> > * added non-XHTML (but harmless) NOBR tag
> 
> Dave, is that OK ?

Sounds fine to me - unless anyone has any serious objections.

Could we make it at least _look_ like XHTML - <nobr /> - or is that a 
complete waste of time?

Dave...

-- 

  .sig missing...

Re: [Nms-cgi-devel] Re: [Nms-cgi-commits] CVS Commit guestbook.pl

[Nick C. <ni...@cl...>]

On Wed, Dec 19, 2001 at 07:32:00AM +0000, Dave Cross wrote:
> > 
> > > * added non-XHTML (but harmless) NOBR tag
> > 
> > Dave, is that OK ?
> 
> Sounds fine to me - unless anyone has any serious objections.
> 
> Could we make it at least _look_ like XHTML - <nobr /> - or is that a 
> complete waste of time?

The filter ensures that there's a matching </nobr>, so there's no
need for <nobr />.

--
Nick