-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Timm Murray wrote: | On Friday 06 September 2002 19:19, William_dw -- Sqlcoders wrote: | |>>>>As a final thought, couldn't we just work around deficiencies like |>>>>that? What happens if you send "text/x-really-plain" instead? |>>>> |>>>>-- |>>>>Robbe |>>> |>>>As far as I've found IE really likes HTML, unless it pop's up a file |>>>download box it will try to interpret any HTML looking text in the file |>> |>i'm |> |> |>>>afraid. |>> |>>If IE is detected, FProxy could make an HTML document with a large |> |><TEXTAREA> |> |>>(say, 70 cols and 25 rows) and put the actual document in that. Surely |>>IE won't parse HTML inside a <TEXTAREA>. Or would it? |> |>This is just a thought, but... |> |>If I wanted to be malicious I could simply add a </textarea> to the start |>of my documents, which would let me put in other HTML elements and have |>them processed in browsers that can process HTML. | | <> | | Ahh, excelent point. I tried coming up with a few ways around this: | | 1) Removing any HTML tags, or at least any </TEXTAREA> tags | 2) Replacing '<' with '<' | 3) Use JavaScript to place the text into an empty <TEXTAREA> (we know they're | using IE, so it's not a problem of compatibility)
These things are a bit redundant. You _always_ need to escape any text that's inside <textarea> (both < and >).. but you really don't need <textarea> when you escape everything. You could just put the text inside <pre> so the formatting doesn't change. I'm just worried that since we don't know the exact conditions when buggy browsers switch to HTML encoding, some dangerous content might get missed. Also plaintext data or some similarly structured XML-like things, that's not supposed to be HTML but looks enough like it, gets changed mime type (It has to be changed) and data mangled with HTML encoding.. This isn't probably what the application or the person fetching the data would expect. Luckily this is only about fproxy, not the FCP protocol, but I can still see potential problems emerging from this workaround. Has anyone tested what happens when you put a HTML-document in image/jpeg MIME and throw that to IE? - - Jukka -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9ea9lYYWM2XTSwX0RAkvcAJ9v+IJTsZoACGGs+bfy99A8tkweWgCfSSvU dL2pqUvnSgVAb/q1YYT2ZLc= =Nibm -----END PGP SIGNATURE----- _______________________________________________ devl mailing list [EMAIL PROTECTED] http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/devl
