quick question - before I dig deeper, did the previous AFC plugin not block
javascript in HTML at all?
On Mon, Oct 31, 2022 at 10:21 AM K Post <nntp.p...@gmail.com> wrote:
> The new AFC is blocking a nightly report that comes in HTML format with
> javascript in it -- as I would expect, but before his new AFC, they were
> erroneously slipping through.
>
> I don't know why these reports weren't being blocked before, it's basic
> HTML with a short block of javascript at the end. Of note, the javascript
> starts like this and has a base64 image in its code - something that the
> new AFC addresses:
>
> <script type="text/javascript">
> var iX = 0; var iY = 0; var iX = 0; var iY = 0;
> var charting_img = "*data**:image/gif;base64*, -- base 64 is here in
> real code ==";
> var iCurrent = "";
> var images = document.getElementsByTagName('imgs');
>
> So it looks like the new AFC works much better. Great.
>
> Now I need an exception to allow these nightly reports through again.
> Ordinarily, I'd allow the sha256 of the detected blocked *file* to allow
> the code through, but in looking at the logs, it appears that it is showing
> the sha256 of the .html file itself vs just the portion of javascript that
> is being detected. That means that the sha256 that shows in the log is
> different each time and can't be use for the exception.
>
> *Is there a way that I can allow the javascript code (which is constant
> and in an ever changing html file) through using sha256 or another method,
> but still block all other html files with javascript embedded?*
>
> I don't have control of the sending server. I know I don't want to use a
> UserAttach exception for the sending email address, as that's used for many
> other messages (frustratingly so).
>
> I don't want an exception to allow html with javascript for the receiving
> users regardless of the sender, that would be too much of a risk.
>
> Thanks
>
>
>
>
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
