Re: [Pas-dev] css (security)
Status: Beta
Brought to you by:
mortis
Menu
▾
▴
Re: [Pas-dev] css (security)
|
From: Mental <me...@ne...> - 2002-05-17 15:59:07
|
On Fri, 2002-05-17 at 11:48, Kyle R . Burton wrote: > I'm aware of this kind of attack. Are there no possible instances where > someone using Pas would actualy use angle brackets? What about if/when > we start handling XML? XML-RPC/SOAP? Yes, but what if you never plan on using that? :) It absolutely should be configurable. Just like the include file datecheck stuff. And it doesnt need to be angle brackets we worry about. We can look for /\<\s*script/ whatever... this is why I'm asking. :) An optional 'block the skript kiddies' filter might be nice. > If we institute a blanket solution we're bound to break something. > Correct. Again, we could have several choices. And hopefully some user contributed filters as well. > How about we make it either a filter module, or configurable behavior? > Yes. > How can we determinsiticly say what/where data is allowed to have angle > brackets? I'm not sure I can see how we can always do the right thing. > I'm afraid we'll do the wrong thing often enough to make using Pas > unpleasant. > I'm afraid you're off on the angle bracket thing. That was only one of my half baked ideas. The other was deterministicly looking for <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED> The angle bracket thing was my over simplified method for dealing with them. If developers _want_ to pass these along, then in my mind thats no different than complaining something isnt suid. If you want to disable the safety, fine. But dont complain to me when you shoot yourself in the foot. Thats all. > I think I like the idea of either making it a plug-in or a run-time > configuration option. It should be documeted in the manuals somewhere... > Ok, so a plugin you can optionally turn off that looks for the tags mentioned in the cert advisory (http://www.cert.org/advisories/CA-2000-02.html) then? -- Mental (Me...@Ne...) |
