Please keep discussions on the lists. Quoting Ziba Scott <[EMAIL PROTECTED]>:
> Maybe it would be better to just strip out the tags themselves (but not > everything outside of the tags). I don't see much value in keeping > commented out html around: > > $patterns['/(<body[^>]*>|<html[^>]*>)/si'] = ''; > $patterns['/(<\/(body|html)>)/si'] = ''; That seems better to me. > Stripping only the tags versus stripping the tags and outside of the > tags doesn't give the attacker any new opportunities. In the current > system, the attacker just has to put their evil inside the html tags and > it will not be removed. Well, assuming it's not caught by anything else, but yes. My concern was not copying over attributes from html/body tags into comments. > Can you elaborate on what you would like to see from me to be > comfortable including an xss filter change? If you look in framework/Text_Filter/tests/, there are a number of xss tests (all run by xss.phpt, I believe). Making sure that all of those still pass, and possibly adding some new tests that ensure that malicious code broken up into multiple <html> or <body> tags is still escape, would be the minimum. Thanks, -chuck -- "I have concerns that we are not behaving like a mature, responsible, collection of interdependent organisms." - Rick O. -- IMP mailing list - Join the hunt: http://horde.org/bounties/#imp Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: [EMAIL PROTECTED]
