The reason to strip script tags would be to protect users from hostile code
which the browsers can't handle themselves. Adding this feature to a
firewall at all, but not making it work properly in all cases (probably a
hopeless task anyway...) makes a false sense of security, which often is
worse than no security at all.
/Arne Vidstrom
http://ntsecurity.nu
> To: BugTraq
> Subject: Re: "Strip Script Tags" in FW-1 can be circumvented
> Date: Mon Jan 31 2000 00:28:29
> Author: Jonah Kowall
>
> I don't consider this a bug in FW-1, but a bug in the products
> navigator, and internet explorer. These tags shouldn't be parsed, because
> they are malformed. The firewall is stripping tags properly, but since
> these tags are malformed you can't expect the firewall to be able to
> recognize them as valid tags.
