On Fri, 15 Sep 2023, Bill Cole wrote:
On 2023-09-14 at 11:01:37 UTC-0400 (Thu, 14 Sep 2023 15:01:37 +0000 (UTC))
Pedro David Marco via users <pedrod_ma...@yahoo.com>
is rumored to have said:
The same happens with other HTML tags...
<=
DEFANGED_IMG src= can be replaced with <=
DEFANGED_IMG xyz/src=
virtually any char but >
so, with Giovanni permission, i tighten the nut 1 more turn (limiting
to 100 chars to prevent Regex Self-DOS)
rawbody BADHREF /<(a|img|video)[^>]{0,100}\/(src|href)\=/
Pete.
I've tweaked this a bit and added it to my ruleQA sandbox:
describe HTML_BADATTR Illegal char in HTML attribute name
rawbody HTML_BADATTR /<[a-z]{1,10}[^>]{1,80}\/(src|href)\=/
Probably should loosen that a tiny bit to allow for whitespace between the
attr and the equals sign, and a whitespace after the tag name will keep
the two variable-length REs from competing:
/<[a-z]{1,10}\s[^>]{1,80}\/(src|href)\s*\=/
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Microsoft is not a standards body.
-----------------------------------------------------------------------
Today: the 236th anniversary of the signing of the U.S. Constitution