iframe dilemma: a compromise?
Tal Kelrich
tal at MUSICGENOME.COM
Wed Nov 6 18:20:32 GMT 2002
On Wed, 2002-11-06 at 19:08, Julian Field wrote:
> Eek, that sounds like far too much hard work for me. Don't forget that my
> proposed "Convert Dangerous HTML to Text" option can be a ruleset or a
> custom function for working out which messages to massage.
>
> Converting the IFrames to Divs is a bit harder for me (as I have to start
> parsing the HTML tag by tag and replacing certain tags while leaving others
> alone, and who's to say there aren't possible exploits in Divs too?).
> Allowing your own code to run at this point is awkward too, as you would
> have to know quite a lot about the internal structure of MailScanner to
> even start to be able to do something useful, and you may open yourself up
> to various attacks in the process.
Couldn't you just use Anomy Sanitizer's Anomy::HTMLCleaner?
it seems to be pretty much well written, as well as maintained
(though some print STDERR and logging should be changed)
(http://mailtools.anomy.net/)
--
Tal Kelrich
PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69
Key Available at: http://www.hasturkun.com/pub.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021106/9451c1ec/attachment.bin
More information about the MailScanner
mailing list