iframe dilemma: a compromise?

Julian Field mailscanner at ecs.soton.ac.uk
Wed Nov 6 17:08:32 GMT 2002 

At 16:06 06/11/2002, you wrote:
>On Wed, 6 Nov 2002, Tal Kelrich wrote:
>
> > On Wed, 2002-11-06 at 14:38, Julian Field wrote:
> > > So, say you have
> > >          Allow IFrame Tags = yes
> > > but you also have a new option
> > >          Convert Dangerous HTML to Text = yes
> > > then the message contents would be allowed through (by the 1st
> option) but
> > > it would be stripped down to plain text (by the 2nd option). The
> definition
> > > of "Dangerous" in this context is HTML containing either IFrame tags or
> > > Object Codebase tags.
> > how about converting it into slightly less dangerous HTML? (assuming
> > users still want their HTML mail intact, which I think will mostly be
> > the case)
> > ie, turn IFRAME into DIV or something similar.
>
>So, to generalise, Julian's suggested binary switch:
>    Convert Dangerous HTML to Text = yes
>
>this could become something vaguely like:
>    Convert Dangerous HTML = {text|div|\&perl_routine|...}
>
>Note the "vaguely like": this is simply exploration of ideas.
>
>The "text" would strip out the iframe (result is a text message containing
>HTML tags: not spectacularly user-friendly, but simple and vaguely
>readable).
>
>The "div" would convert the "iframe": presumably the result would be
>modified HTML, still viewed in a WWW-browser-like window.
>
>The "\&perl_routine" would allow a site to have its own code.  (Analogy: I
>recall some discussion about some sort of "Custom" facility.)  For
>instance, that "perl_routine" might somehow invoke a custom, safer
>browser (perhaps lynx?).  All very hand-wavy!

Eek, that sounds like far too much hard work for me. Don't forget that my
proposed "Convert Dangerous HTML to Text" option can be a ruleset or a
custom function for working out which messages to massage.

Converting the IFrames to Divs is a bit harder for me (as I have to start
parsing the HTML tag by tag and replacing certain tags while leaving others
alone, and who's to say there aren't possible exploits in Divs too?).
Allowing your own code to run at this point is awkward too, as you would
have to know quite a lot about the internal structure of MailScanner to
even start to be able to do something useful, and you may open yourself up
to various attacks in the process.

I prefer to keep it simple, if that will satisfy most people. (I can't
satisfy all the users all the time, and still get to sleep a few hours each
night).

David, I'll mail you a URL in a moment so you can try out what I've done.
--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list