Allow ..... Tags = disarm
P.G.M.Peters at utwente.nl
Thu Nov 6 09:19:11 GMT 2003
On Wed, 5 Nov 2003 10:07:13 -0500, you wrote:
>> A "Form" tag is replaced with a "MailScannerFormxxxx" tag,
>> where xxxx is an
>> essentially random number (it's actually the process id). As
>> this is an
>> HTML tag not recognised by your email client (or web browser)
>> it will just
>> be ignored completely, as it should be according to the HTML spec.
>> An "Input" tag is modified so its type is a "reset" button, and all
>> A "Button" tag is modified so its type is a "reset" button, and all
>What's the point of disarming input tags when form tags are taken out? An
>input without a form does nothing.
At least it should do nothing. But I don't know whether some "clever"
company wouldn't design a browser that tries to act on inputs without a
>Changing the type of buttons seems like a very bad idea to me - I can easily
>imagine a lot of confusion resulting and it doesn't seem like a useful
But buttons won't work without the form of do they.
>> The point of the xxxx number on the end of each tag name is to protect
>> against an attack in which a new XML object or stylesheet
>> setting is used
>> to create a new tag called "MailScannerForm" which has the
>> same actions as
>> a conventional "Form" tag.
>I would prefer that the changes to the HTML be reversible - this makes that
>more difficult. Wouldn't it be just as useful to prepend
>"MailScanner_%orgname%_"? Seems like that would be enough to defeat the
>attack. And blocking both <script> tags and on* attributes means there's
>nothing left that can examine the DOM to figure out the %orgname% string
This would still not protect the %org% against attacks specifically
aimed at that org.
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente, Postbus 217, 7500 AE Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ
More information about the MailScanner