On Sun, Sep 01, 2002 at 04:06:08PM +0300, Jukka Holappa wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Matthew Toseland wrote: > |>background: url(http://nightwatch.mine.nu/graphics/back.gif); > | > | Is this the only way to specify a URL in CSS code? Inline CSS should be > | reasonably easy to filter if so. I have changed the content filter parser, it now blocks url()s pointing off freenet (or containing question marks :)), and ALL link rel=stylesheet and @import's. I haven't increased the build number because it does not affect the node's external behaviour. It may be possible to get around all this by using alternate character encodings, in some charsets - this was done to get around a filter in M$ IIS a year or two ago, and used in one of the big worms... please look for more cases where the filter doesn't work, thank you.
A less invasive option may be to only block link rel=stylesheet's if they change the type of their target... however, AFAICR, Internet Explorer will use any file for anything, completely ignoring the MIME type, whether or not the MIME type is reassigned in a link, as long as it can fingerprint the file. Could somebody please verify this? If we could just block link rel=stylesheet type=, and filter anything that really is text/css or text/xsl (any more?), we could allow external stylesheets. > > I checked the standard at > http://www.w3.org/TR/REC-CSS2/syndata.html#values and it appears to be. > The person making the filter should note that URI can be with or without > quotes. > > - - Jukka > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQE9chC/YYWM2XTSwX0RAkj5AJ98IZE/NhdU9/UDtatB2OFjGB/r4gCeOPEL > 7KypB/hmXI8ogvrx/NHWpPo= > =4ELl > -----END PGP SIGNATURE----- > > > _______________________________________________ > devl mailing list > devl at freenetproject.org > http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/devl > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20020901/9f2e619c/attachment.pgp>
