-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 06 September 2002 19:19, William_dw -- Sqlcoders wrote: > > > >As a final thought, couldn't we just work around deficiencies like > > > >that? What happens if you send "text/x-really-plain" instead? > > > > > > > >-- > > > >Robbe > > > > > > As far as I've found IE really likes HTML, unless it pop's up a file > > > download box it will try to interpret any HTML looking text in the file > > i'm > > > > afraid. > > > > If IE is detected, FProxy could make an HTML document with a large > > <TEXTAREA> > > > (say, 70 cols and 25 rows) and put the actual document in that. Surely > > IE won't parse HTML inside a <TEXTAREA>. Or would it? > > This is just a thought, but... > > If I wanted to be malicious I could simply add a </textarea> to the start > of my documents, which would let me put in other HTML elements and have > them processed in browsers that can process HTML. <>
Ahh, excelent point. I tried coming up with a few ways around this: 1) Removing any HTML tags, or at least any </TEXTAREA> tags 2) Replacing '<' with '<' 3) Use JavaScript to place the text into an empty <TEXTAREA> (we know they're using IE, so it's not a problem of compatibility) For 1, you get rid of perfectly good uses of HTML in a text document (what if it's a plaintext document about learning HTML?) It is even problematic if limited to just </TEXTAREA> tags. For 2, it is unknown how IE will render this (at least it is for me). Also, Java lacks a good search-and-replace function (though this can be worked around). Someone will have to test this to see what happens. For 3, at first I thought of something like this: <form name="text"> <textarea name="plain" rows="25" cols="70"></textarea> </form> <script type="javascript"> document.text.plain.value = "text to add"; </script> But this just changes the attacker's problem to using '";</script>' instead of '</textarea>'. So I thought of more sophisticated solutions, like using remote scripting to have the browser grab the text while it's executing the JavaScript. This set off my internal over-engineering alarm. - -- If the automobile had followed the same development as the computer, a Rolls-Royce would today cost $100, get a million miles per gallon, and explode once a year killing everyone inside. --Robert Cringely, InfoWorld -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj15f2oACgkQqpueKcacfLSbogCgl2DPPjdXdMKNPxHg9W1cn4t/ Jz0AoMWKT8OaoUMRzNhMJRk7eZw5WT1D =TF3B -----END PGP SIGNATURE----- _______________________________________________ devl mailing list [EMAIL PROTECTED] http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/devl