> > >
> > > If IE is detected, FProxy could make an HTML document with a large
> >
> > <TEXTAREA>
> >
> > > (say, 70 cols and 25 rows) and put the actual document in
> that. Surely
> > > IE won't parse HTML inside a <TEXTAREA>. Or would it?
> >
> > This is just a thought, but...
> >
> > If I wanted to be malicious I could simply add a </textarea> to
> the start
> > of my documents, which would let me put in other HTML elements and have
> > them processed in browsers that can process HTML.
> <>
>
> Ahh, excelent point. I tried coming up with a few ways around this:
>
> 1) Removing any HTML tags, or at least any </TEXTAREA> tags
> 2) Replacing '<' with '<'
> 3) Use JavaScript to place the text into an empty <TEXTAREA> (we
> know they're
> using IE, so it's not a problem of compatibility)
>
> For 1, you get rid of perfectly good uses of HTML in a text
> document (what if
> it's a plaintext document about learning HTML?) It is even
> problematic if
> limited to just </TEXTAREA> tags.
>
> For 2, it is unknown how IE will render this (at least it is for
> me). Also,
> Java lacks a good search-and-replace function (though this can be worked
> around). Someone will have to test this to see what happens.
>
> For 3, at first I thought of something like this:
>
> <form name="text">
> <textarea name="plain" rows="25" cols="70"></textarea>
> </form>
> <script type="javascript">
> document.text.plain.value = "text to add";
> </script>
>
> But this just changes the attacker's problem to using
> '";</script>' instead of
> '</textarea>'. So I thought of more sophisticated solutions, like using
> remote scripting to have the browser grab the text while it's
> executing the
> JavaScript. This set off my internal over-engineering alarm.
>
LOL, ok how about taking a step back, instead of focusing upon how to get
around certain tags (this means keeping up with HTML constantly, for example
who knows what tag you can put inside a textarea next year that's
interpreted somehow), how about just fixing the problem at 'source' (bad
pun, but what the hell) instead of trying to fix the tags it defines.
I've always found just replacing < with < and > with > stops IE from
interpreting things, it's always done so as far as I can remember, and I can
remember programming sprite animation on a Commodore C64, so I think I'd
remember it :)
The only problem is what would other browser's do if they found a > in a
page. It might be necessary to wrap the plain text inside a quick html
wrapper, that would level things out as then every browser would interpret
what it found as HTML, but at the same time any <> characters would be
replaced with > <, so that would fix the problem I think.
Java might lack a good search/replace function, but our friend google can
probably find something that's open source (there must be some open source
template system or something you can find a nice search/replace function
in).
Then it would just be a case of something like this (no I don't write java,
treat this as pseudopodia)..
public class JavaUtilities {
public String ReplaceSubString(String SourceS, String SearchS, String
ReplaceS) {
while ( SourceS.indexOf( SearchS ) >= 0 ) {
String leftString = SourceS.substring(0, SourceS.indexOf( SearchS ) );
String rightString = SourceS.substring( SearchS.length() +
SourceS.indexOf( SearchS ) );
SourceS = leftString + ReplaceS + rightString;
}
return SourceS;
}
}
JavaUtilities ju = new JavaUtilities();
HTML_source = ju.ReplaceSubString(HTML_source, "<", "<" );
HTML_source = ju.ReplaceSubString(HTML_source, ">", ">" );
HTML_source .= "<html><head><title>Plain text
document</title></head><body><code>" . HTML_source .
"</code></body></html>";
_______________________________________________
devl mailing list
devl at freenetproject.org
http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/devl
