[Zope] CERT -- Malicious HTML Tags

Evan Simpson evan@4-am.com
Thu, 3 Feb 2000 01:05:46 -0600


----- Original Message -----
From: Christopher Petrilli <petrilli@digicool.com>
> Evan mentioned XML-based, but I think that's a bit heavy, unless it's
sgmlop
> based, perhaps?  Other ideas? I like the idea of a minimal set of tags (A,
> B, I, EM, BR, P, UL, OL, LI perhaps?) that are allowed, all else is
> verbotten... any other scheme is a "bad thing" :-)

Having now read the advisory and the slashdot discussion which followed, I
now see that you have to be a little more draconian than this, even.  You
need to make sure that those tags are *really* bare (no
onAnything="javascript:argh") and take special care with anchor hrefs.

Whether sgml or xml-based, parsing shouldn't be too much of a burden unless
you get a *lot* of content submitted.  You only need to do it once per
submission, after all, and only if it contains '<>&'s.

Happily, the default Zope error page doesn't seem to have the 404 exploit
exposed on slashdot.

Cheers,

Evan @ 4-am