The reason to strip script tags would be to protect users from hostile code which the browsers can't handle themselves. Adding this feature to a firewall at all, but not making it work properly in all cases (probably a hopeless task anyway...) makes a false sense of security, which often is worse than no security at all. /Arne Vidstrom http://ntsecurity.nu > To: BugTraq > Subject: Re: "Strip Script Tags" in FW-1 can be circumvented > Date: Mon Jan 31 2000 00:28:29 > Author: Jonah Kowall > > I don't consider this a bug in FW-1, but a bug in the products > navigator, and internet explorer. These tags shouldn't be parsed, because > they are malformed. The firewall is stripping tags properly, but since > these tags are malformed you can't expect the firewall to be able to > recognize them as valid tags.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:59 PDT