[Zope] Re: CERT -- Malicious HTML Tags
Bruce Elrick
belrick@saltus.ab.ca
Wed, 02 Feb 2000 20:13:35 -0700
Evan Simpson wrote:
>
> ----- Original Message -----
> From: Squishdot <squishdot@yahoo.com>
> > tres seaver <tseave-@palladion.com> wrote:
> > > The key issue lies in embedding <SCRIPT>...</SCRIPT> chunks (or their
> immoral
> > > equivalents, <OBJECT>, <EMBED>, and <APPLET>).
> >
> > Yes, I've been reading up on it as well. I'll be studying this issue
> > as well WRT to Squishdot. I would probably need to add some validation
> > to Squishdot to filter out these *malicious tags* -- if anyone in the
> > Zope/Squishdot has ideas/code to fix this, please contact me ASAP.
>
> Slashdot.org has had to deal with this issue for quite some time, and is
> high-profile enough to attract many *cough* security testers *cough*. They
> forbid anything not on a short list of harmless tags.
Hoever, as demonstrated in the thread on Slashdot, if you don't convert '%nn'
style characters to their actual values, malicious code can get through.
Cheers...
Bruce
--
Bruce Elrick, Ph.D. Saltus Technology Consulting Group
Personal: belrick@home.com IBM Certified Specialist
Business: belrick@saltus.ab.ca ADSM, AIX Support, RS/6000 SP, HACMP