Dangerous html tag?

[Rick Cooper]

> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: Thursday, March 18, 2004 8:57 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Dangerous html tag?
>
>
> At 12:33 18/03/2004, you wrote:
> >Remco Barendse wrote:
> >
> >>I haven't got a clue whether Object Tags are ever
> used for something
> >>legit.
> >>
> >>Could you make the Object Codebase look at the
> allowed / disallowed
> >>extension list? Any file we do not allow as an
> attachment form should be
> >>utterly destroyed when in Object Codebase?
> >>
> >>This would allow mails with images and other stuff
> we may allow but not
> >>objectionable content.
> >>
> >>Just an idea :)
> >>
> >>On Thu, 18 Mar 2004, Julian Field wrote:
> >>
> >>
> >>
> >
> >Julian is it feasible to consider a list of tags that are
> >disarmed/banned/allowed ? So in the future we could
> just add the tag to
> >an existing list and it will be destroyed? Or
> something like this
> >similarly modular to save upgrading MS for this same
> thing (catching
> >tags) in the future?
>
> Certainly feasible. I will take a look, and agree it
> would be a good idea.
> How would we handle the yes/no/disarm values for each one?
> The yes/no is easy, just block it if it's in the list.
> But the disarm option?
> And what about being able to use a ruleset? The
> ruleset would have to apply
> to the whole configuration option, not just the
> separate bits of it.
> And what about the report message included whenever
> one or more of these
> tags are found?
>
> Allow HTML tags = iframe=yes form=disarm
> object/codebase=no object/data=no
>
> So "yes" would be the same as not listing the tag at
> all, the other
> possibilities would be "no" and "disarm". Complex tags
> like <Object
> Codebase=...> would be separated with a "/".
>
> That looks ugly. Can someone come up with something better?
> --

Depends on if you are passing the message body as an entity or
line by line. If you pass it as a total object ($string) perhaps
something like:

config:
object/codebase/data script/java/vbs
        tag/item/item.. split into two arrays one for the tag and the
for the items

the code part:

CHECK: foreach $tag (@tags){
        # if a specified HTML tage exists see if it contains something
        # we don't want. example <script type="text/vbscript"
        # the /si should catch it even if split across lines
        if($body =~ /<(?:\s+)?($tag.*?)>/si){
                # If $item is in in the string captured between <> then
                # remove everything between <tag...> and </tag>
                foreach $item (@items){
                        if($1 =~ /$item/si){
                                $body =~ s/<(?:\s+)?$tag.*?>.+<(?:\s+)?\/$tag.+?>//;
                                last;
                        }
                }
        }
}

For the actual config how about a filename.rules type thing like
html.tags.rules

deny            object  codebase/data
disarm  script  java/vbs
disarm  iframe  .*

Of course I haven't tested this nor checked for typos and it may
need refined to check for broken close tags

if end tag doesn't exist then perhaps remove entire or remove
from <tag> to end
if($body !~ /<(?:\s+)?\/$tag/si){
        $body =~ s/<(?:\s+)?$tag.*//si
        last CHECK;
}else{
        $body =~ s/<(?:\s+)?$tag.*?>.+<(?:\s+)?\/$tag.+?>//;
        last;
}



Rick