Reintroduce the raw html feature securized #22

Open
paradoxxxzero opened this Issue Mar 2, 2014 · 3 comments

Projects

None yet

2 participants

@paradoxxxzero
Owner

Use a good script stripping method to clean the inserted html to avoid mailicious script injection.

http://stackoverflow.com/questions/6659351/removing-all-script-tags-from-html-with-js-regular-expression
and https://github.com/LiftoffSoftware/htmltag/blob/master/htmltag.py#L186

could be a start.

@paradoxxxzero
Owner

Following to a discussion with GateOne developer, this should be reintroduced as a DCS control rather than dirty OSC99 hack.
The escape format will be:

\x90;TYPE|CONTENT\x9c

Where TYPE here will be HTML and content the raw html to be stripped.

@paultag
paultag commented Mar 7, 2014

Ftr my example svg had no script tags
On Mar 7, 2014 4:20 AM, "Mounier Florian" notifications@github.com wrote:

Following to a discussion with GateOne developer, this should be
reintroduced as a DCS control rather than dirty OSC99 hack.
The escape format will be:

\x90;TYPE|CONTENT\x9c

Where TYPE here will be HTML and content the raw html to be stripped.

Reply to this email directly or view it on GitHubhttps://github.com/paradoxxxzero/butterfly/issues/22#issuecomment-36979996
.

@paradoxxxzero
Owner

Yes, all on* attributes must be removed too.
I was wondering, maybe using an embed tag with a data url should be enough to prevent any exploit ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment