-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Friday 06 September 2002 19:19, William_dw -- Sqlcoders wrote:
> > > >As a final thought, couldn't we just work around deficiencies like
> > > >that? What happens if you send "text/x-really-plain" instead?
> > > >
> > > >--
> > > >Robbe
> > >
> > > As far as I've found IE really likes HTML, unless it pop's up a file
> > > download box it will try to interpret any HTML looking text in the file
>
> i'm
>
> > > afraid.
> >
> > If IE is detected, FProxy could make an HTML document with a large
>
> <TEXTAREA>
>
> > (say, 70 cols and 25 rows) and put the actual document in that. Surely
> > IE won't parse HTML inside a <TEXTAREA>. Or would it?
>
> This is just a thought, but...
>
> If I wanted to be malicious I could simply add a </textarea> to the start
> of my documents, which would let me put in other HTML elements and have
> them processed in browsers that can process HTML.
<>
Ahh, excelent point. I tried coming up with a few ways around this:
1) Removing any HTML tags, or at least any </TEXTAREA> tags
2) Replacing '<' with '<'
3) Use JavaScript to place the text into an empty <TEXTAREA> (we know they're
using IE, so it's not a problem of compatibility)
For 1, you get rid of perfectly good uses of HTML in a text document (what if
it's a plaintext document about learning HTML?) It is even problematic if
limited to just </TEXTAREA> tags.
For 2, it is unknown how IE will render this (at least it is for me). Also,
Java lacks a good search-and-replace function (though this can be worked
around). Someone will have to test this to see what happens.
For 3, at first I thought of something like this:
<form name="text">
<textarea name="plain" rows="25" cols="70"></textarea>
</form>
<script type="javascript">
document.text.plain.value = "text to add";
</script>
But this just changes the attacker's problem to using '";</script>' instead of
'</textarea>'. So I thought of more sophisticated solutions, like using
remote scripting to have the browser grab the text while it's executing the
JavaScript. This set off my internal over-engineering alarm.
- --
If the automobile had followed the same development as the computer, a
Rolls-Royce would today cost $100, get a million miles per gallon,
and explode once a year killing everyone inside.
--Robert Cringely, InfoWorld
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj15f2oACgkQqpueKcacfLSbogCgl2DPPjdXdMKNPxHg9W1cn4t/
Jz0AoMWKT8OaoUMRzNhMJRk7eZw5WT1D
=TF3B
-----END PGP SIGNATURE-----
_______________________________________________
devl mailing list
devl at freenetproject.org
http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/devl
