New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reintroduce the raw html feature securized #22

Open
paradoxxxzero opened this Issue Mar 2, 2014 · 3 comments

Comments

Projects
None yet
2 participants
@paradoxxxzero
Owner

paradoxxxzero commented Mar 2, 2014

Use a good script stripping method to clean the inserted html to avoid mailicious script injection.

http://stackoverflow.com/questions/6659351/removing-all-script-tags-from-html-with-js-regular-expression
and https://github.com/LiftoffSoftware/htmltag/blob/master/htmltag.py#L186

could be a start.

@paradoxxxzero

This comment has been minimized.

Show comment
Hide comment
@paradoxxxzero

paradoxxxzero Mar 7, 2014

Owner

Following to a discussion with GateOne developer, this should be reintroduced as a DCS control rather than dirty OSC99 hack.
The escape format will be:

\x90;TYPE|CONTENT\x9c

Where TYPE here will be HTML and content the raw html to be stripped.

Owner

paradoxxxzero commented Mar 7, 2014

Following to a discussion with GateOne developer, this should be reintroduced as a DCS control rather than dirty OSC99 hack.
The escape format will be:

\x90;TYPE|CONTENT\x9c

Where TYPE here will be HTML and content the raw html to be stripped.

@paultag

This comment has been minimized.

Show comment
Hide comment
@paultag

paultag Mar 7, 2014

Ftr my example svg had no script tags
On Mar 7, 2014 4:20 AM, "Mounier Florian" notifications@github.com wrote:

Following to a discussion with GateOne developer, this should be
reintroduced as a DCS control rather than dirty OSC99 hack.
The escape format will be:

\x90;TYPE|CONTENT\x9c

Where TYPE here will be HTML and content the raw html to be stripped.

Reply to this email directly or view it on GitHubhttps://github.com//issues/22#issuecomment-36979996
.

paultag commented Mar 7, 2014

Ftr my example svg had no script tags
On Mar 7, 2014 4:20 AM, "Mounier Florian" notifications@github.com wrote:

Following to a discussion with GateOne developer, this should be
reintroduced as a DCS control rather than dirty OSC99 hack.
The escape format will be:

\x90;TYPE|CONTENT\x9c

Where TYPE here will be HTML and content the raw html to be stripped.

Reply to this email directly or view it on GitHubhttps://github.com//issues/22#issuecomment-36979996
.

@paradoxxxzero

This comment has been minimized.

Show comment
Hide comment
@paradoxxxzero

paradoxxxzero Mar 11, 2014

Owner

Yes, all on* attributes must be removed too.
I was wondering, maybe using an embed tag with a data url should be enough to prevent any exploit ?

Owner

paradoxxxzero commented Mar 11, 2014

Yes, all on* attributes must be removed too.
I was wondering, maybe using an embed tag with a data url should be enough to prevent any exploit ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment