On December 27, 2002 at 01:33, Gunnar Hjalmarsson wrote: > Okay... Since I couldn't re-open the bug, let me make a new try here. > How about: > > $$data =~ s/([^\?&;]$UAttr\s*=\s*)([^\s'">][^\s>]+) > -----------------^^^^^^^
Of course, such change would have to be applied to the two previous expressions as well. Unfortunately, this allows markup to get through that would be normally stripped. Take the following tricky mail message: Content-Type: multipart/mixed; boundary="XXXXX" --XXXXX Content-Type: text/html <img --XXXXX Content-Type: text/html src="http://www.mhonarc.org/MHonArc/logo/mhastampw_t.png";> --XXXXX-- The final HTML message page will contain the following: <img src="http://www.mhonarc.org/MHonArc/logo/mhastampw_t.png";> I.e. An auto-loaded URL got by the filtering. Now, stripping any unclosed open tag at the end of an HTML part and stripping any partial tag at the start of an HTML part could prevent this (an possibly related) exploits. To avoid any possible XSS exploits by "loosening" the existing filtering code, parsing the HTML tags themselves would be needed, and then tested, which would add extra processing overhead. I am reluctant to loosen up the filtering code at this time due to XSS issues since I am not confident that any kind of loosening cannot be exploited (even if I or you cannot see any potential exploits, someone else might). It is not on my priority list to develop a more intelligent HTML filter, however, contributions are welcome. --ewh --------------------------------------------------------------------- To sign-off this list, send email to [EMAIL PROTECTED] with the message text UNSUBSCRIBE MHONARC-DEV
![http://www.mhonarc.org/MHonArc/logo/mhastampw_t.png"](http://www.mhonarc.org/MHonArc/logo/mhastampw_t.png"){kind=link}