daemon@ATHENA.MIT.EDU (Grahame Bowland)
Fri Jan 7 16:27:21 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000106140358.B25705@tartarus.uwa.edu.au>
Date: Thu, 6 Jan 2000 14:03:58 +0800
Reply-To: Grahame Bowland <gbowland@TARTARUS.UWA.EDU.AU>
From: Grahame Bowland <gbowland@TARTARUS.UWA.EDU.AU>
X-To: Metal Hurlant <metal_hurlant@YAHOO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <0001051204120C.00475@jameson.paris.yahoo.com>; from Metal
Hurlant on Wed, Jan 05, 2000 at 11:52:46AM +0100
> On Jan 05, Metal Hurlant scrawled :
> > Due to the open nature of HTML it is impossible to know all attributes
> > which may contain URLs. And I thinks it is safe to assume that all
> > attribute values may be contain URLs... I can't come up with a practical
> > HTML application where the attribute value "javascript:<something>"
> > makes much sense other than when refering to javascript code to be
> > executed.
>
> Things are a bit more complicated than that:
> - javascript code can be placed in a growing number of optional tag parameters
> (like onmouseover, onload, etc..). The only way to block those is to keep an
> extensive and up-to-date list of every possible parameter allowing to run a
> script.
> - Netscape supports something called javascript style sheets, allowing to
> embed javascript between <style> tags
> - Netscape recognizes mocha: and livescript: urls and treats them like
> javascript: urls
>
> I'm sure IE has its own share of incompatible and not widely known ways to run
> scripts.
> Everyone thinks Javascript is cool (except maybe some weird security folks),
> so each new browser version is very likely to have a few new ways to do more
> cool things in javascript..
I think this a backwards approach to the problem. Why not implement
a filtering program that denies all attributes to HTML tags that are not in a
master list, and then filter those attributes according to their specified
behaviour? HTML email shouldn't require the more esoteric attributes
provided by MSIE and Netscape.
This could at least be implemented as an "additional security" feature.
Just an idea :)
Grahame Bowland
