Allow ..... Tags = disarm

Peter Peters P.G.M.Peters at
Thu Nov 6 09:19:11 GMT 2003

On Wed, 5 Nov 2003 10:07:13 -0500, you wrote:

>> A "Form" tag is replaced with a "MailScannerFormxxxx" tag,
>> where xxxx is an
>> essentially random number (it's actually the process id). As
>> this is an
>> HTML tag not recognised by your email client (or web browser)
>> it will just
>> be ignored completely, as it should be according to the HTML spec.
>> An "Input" tag is modified so its type is a "reset" button, and all
>> JavaScript "on..." methods are removed.
>> A "Button" tag is modified so its type is a "reset" button, and all
>> JavaScript "on..." methods are removed.
>What's the point of disarming input tags when form tags are taken out?  An
>input without a form does nothing.

At least it should do nothing. But I don't know whether some "clever"
company wouldn't design a browser that tries to act on inputs without a

>Changing the type of buttons seems like a very bad idea to me - I can easily
>imagine a lot of confusion resulting and it doesn't seem like a useful

But buttons won't work without the form of do they.

>> The point of the xxxx number on the end of each tag name is to protect
>> against an attack in which a new XML object or stylesheet
>> setting is used
>> to create a new tag called "MailScannerForm" which has the
>> same actions as
>> a conventional "Form" tag.
>I would prefer that the changes to the HTML be reversible - this makes that
>more difficult.  Wouldn't it be just as useful to prepend
>"MailScanner_%orgname%_"?  Seems like that would be enough to defeat the
>attack.  And blocking both <script> tags and on* attributes means there's
>nothing left that can examine the DOM to figure out the %orgname% string

This would still not protect the %org% against attacks specifically
aimed at that org.

Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383,

More information about the MailScanner mailing list