Defang'ing HTML - was RE: Content Checks: Detected HTML-specic ex ploits in h8AGGVSe016972

Furnish, Trever G TGFurnish at HERFF-JONES.COM
Thu Sep 11 19:12:49 IST 2003 

> -----Original Message-----
> From: Kevin Spicer [mailto:kevins at BMRB.CO.UK]
> Sent: Thursday, September 11, 2003 10:08 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Content Checks: Detected HTML-specic exploits in
> h8AGGVSe016972 {Scanned by HJMS}
>
>
> On Thu, 2003-09-11 at 15:36, Ugo Bellavance wrote:
>
> >>> I think he means that he would like to have the HTML cleaned from
> harmful tags, but without converting into text.
>
> >Ugo
>
> >Surely this is precisely what "Convert Dangerous HTML to
> Text = yes" is
> >for?
> >Or am I misunderstanding that MS option?
>
> "Convert Dangerous HTML to Text" converts the _entire_ html message to
> text if any of the objectionable tags are found.  What I was
> suggesting
> was that a better filter would only remove the dangerous/objectionable
> tags.  This however is not as simple as it sounds, and there are all
> sorts of things that need thinking about, for example its possible to
> create a form (or other html content) using embedded javascript etc.
> therfore all script content should be removed etc. etc.

Completely agreed here - I would much, much, MUCH rather have a list of tags
that I can "defang" and customize as I see fit.  These tags would just get
some predictable string prepended to them (which also ought to be
customizeable).

For example, if the defang string were "Defanged_by_HJMS_", and I put "form"
and "script" on my list of tags to defang, then these tags:

        <form method="post" action="...">
        </form>
        <script>
        </script>

...would get turned into these tags:

        <Defanged_by_HJMS_form method="post" action="...">
        </Defanged_by_HJMS_form>
        <Defanged_by_HJMS_script>
        </Defanged_by_HJMS_script>

Then really knowledgeable people can even re-fang a file (as long as it
didn't originally include a string matching the defang string).  This
defanging is one of the features I miss from the procmail filter I used to
run:

http://www.impsec.org/email-tools/procmail-security.html

To be fair though I haven't even *tried* MS's HTML conversion stuff yet
since I thought it would strip the entire message, which is absolutely NOT
what I need.

More information about the MailScanner mailing list