Menu
▾
▴
Re: [Owasp-input-api-developers] I have an immediate application for the filters!
|
From: Gabriel L. <ga...@bu...> - 2002-07-09 03:50:56
|
Steve, You're going to find that there is a whole lot more that is evil then just script tags... What I'd suggest you do is instead parse for occurances of <> and only allow things to appear in tags that you have a good list... ie, let i, b, p, br appear, but don't let img, script... you may want to go futher and define some semantics for main tag (p, b, i, br) vs things like onLoad and such that are javascript... You can then also allow only certain sub tags to appear as well. -gabe On Mon, 2002-07-08 at 19:08, Steven J. Sobol wrote: > > https://yourwebmail.com/ is an alpha version of a high-powered > webmail client I'm developing. You can't compose mail using it yet, > but you can definitely read mail, both plaintext and HTML. > > Right now, the only thing I do to minimize the potential for problems is > to do a regexp search/replace on the HTML before rendering it; turning > <SCRIPT> into <YWMALIAS> and </SCRIPT> into </YWMALIAS>. > > I'm still not sure exactly which direction this project is taking, but > perhaps we can discuss input filtering for the webmail app? > > I'd be happy to give y'all shell logins and e-mail boxes here so you > can check out the code, if interested. Platform is Linux/Apache/Cyrus > (POP3/IMAP4 daemon and mailbox store)/Exim (MTA)/MySQL/PHP. LDAP will > eventually be used for online address book storage and user > authentication. > > -- > Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET > - I do my best work with one of my cockatiels sitting on each shoulder - > 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance > stance towards abusive priests. The fact that 20% didn't, scares me... > > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Oh, it's good to be a geek. > http://thinkgeek.com/sf > _______________________________________________ > Owasp-input-api-developers mailing list > Owa...@li... > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers |
