On Tue, 11 Aug 1998, Alec Kosky wrote:
> >> > s/<BODY\s+(([^">]+("(\\.|[^"])*")?)*)ONLOAD/<BODY $1
> >> DEFANGED-ONLOAD/gi;
> >>
> >> Also things like < body ... > wont be catched. I dont know if those
> >> are leading spaces are proper HTML, but even if not, one should not
> >> suppose every bad HTML to be rejected.
> >
> > The following can Fix all of that:
> >
> > s/<\s+BODY\s+((([^">]+("(\\.|[^"])*")?)*)ONLOAD)*?\s+/<BODY $1
> > DEFANGED-ONLOAD/gi;
>
> Actually, I believe the RE that you are looking for is this:
>
> s/<\s*BODY\s+((([^">]+("(\\.|[^"])*")?)*)ONLOAD)*?\s*/<BODY $1
> DEFANGED-ONLOAD/gi;
>
> The \s+ will only match one or more whitespaces, meaning that
> <BODY onload="badthings()" ONLOAD="badthings()"> would not be caught,
> becuase there are no spaces between < and body, but \s* will match zero
> or more whitespace characters. This will catch
"<\s+BODY" is not a valid HTML tag, so it will (should!) be totally
ignored by the HTML parser in the mail client. If the HTML parser in the
mail client ignores it, it's not an avenue for an exploit. Can anyone
actually get a HTML-aware email client to recognize and process a
"<\s+BODY" tag? Let me know.
I will, however, clean the filter up for multiple ONLOAD="" clauses.
Tomorrow.
--
John Hardin KA7OHZ jhardinat_private
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
Your mouse has moved. Windows NT must be restarted for the change
to take effect. Reboot now? [ OK ]
-----------------------------------------------------------------------
75 days until Daylight Savings Time ends
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:12:12 PDT