[7044] in bugtraq
Re: guestbook script is still vulnerable under apache
daemon@ATHENA.MIT.EDU (Lincoln Stein)
Fri Jun 26 17:13:32 1998
Date: Fri, 26 Jun 1998 09:29:27 -0400
Reply-To: Lincoln Stein <lstein@CSHL.ORG>
From: Lincoln Stein <lstein@CSHL.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.980625154256.31047A-100000@andru>
> On Thu, 25 Jun 1998, Theo Van Dinter wrote:
> > I don't use the program in question so I can't pass this on to the author, but
> > here is a replacement for that "bad" line that will handle all (to my
> > knowledge) SSI's including malformed ones:
> >
> > $value=~s{
> > <! # Comments start with <!
> > ([^<>]|<[^<>]+>)* # Remove anything in between, including
> > # the non-spec'ed included tags ...
> > > # End of the comment.
> > }{}gsx; # Replace with Nothing
> >
Tom Christiansen is on record (and in print) as saying that there is
no single regular expression that can be used to strip out HTML
comments (or any other HTML tag) 100% of the time. I don't see why
you would want to allow a guestbook upload to contain any HTML tags
any way, since it is so easy for broken HTML to mess up the page
downstream of the problem.
Lincoln
========================================================================
Lincoln D. Stein Cold Spring Harbor Laboratory
lstein@cshl.org Cold Spring Harbor, NY
========================================================================
