[Zope] Re: CERT -- Malicious HTML Tags

Evan Simpson evan@4-am.com
Wed, 2 Feb 2000 20:48:19 -0600


----- Original Message -----
From: Squishdot <squishdot@yahoo.com>
> tres seaver <tseave-@palladion.com> wrote:
> > The key issue lies in embedding <SCRIPT>...</SCRIPT> chunks (or their
immoral
> > equivalents, <OBJECT>, <EMBED>, and <APPLET>).
>
> Yes, I've been reading up on it as well. I'll be studying this issue
> as well WRT to Squishdot. I would probably need to add some validation
> to Squishdot to filter out these *malicious tags* -- if anyone in the
> Zope/Squishdot has ideas/code to fix this, please contact me ASAP.

Slashdot.org has had to deal with this issue for quite some time, and is
high-profile enough to attract many *cough* security testers *cough*.  They
forbid anything not on a short list of harmless tags.  IMNSHO this is a far
better approach than trying to keep a list of dangerous tags, since it is
conservative;  If you miss one, or a new tag is added to the HTML standard
and turns out to be a security risk, you aren't vulnerable by default.

Consider also that if you are running a squishdot or similar
contributed-content site you probably want to "defend" against invalid HTML.
An unclosed <b> or <table> can ruin a page, or even render it invisible on
some browsers.  What would an embedded </body> do to a discussion?

Unless you want to live with *really* minimal markup, the best approach is
probably to run contributed text through a full parser.  Since xmllib comes
with Python, it's a candidate, although I'm not sure if it would force you
to require XHTML (stuff like <img src=... />).  I may take a swipe at this.

Cheers,

Evan @ 4-am