Re: Bug#308282: [phpbb2 #308282] upstream patch

To: metaur@telia.com
Cc: debian-security@lists.debian.org, "Alexis Sukrieh" <sukria@sukria.net>, 308282@bugs.debian.org
Subject: Re: Bug#308282: [phpbb2 #308282] upstream patch
From: "Thijs Kinkhorst" <kink@squirrelmail.org>
Date: Wed, 11 May 2005 12:17:56 +0200 (CEST)
Message-id: <[🔎] 1862.143.121.153.52.1115806676.squirrel@wm.kinkhorst.nl>
In-reply-to: <[🔎] 20050510125517.GA2377@localhost.localdomain>
References: <[🔎] 20050510125517.GA2377@localhost.localdomain>

On Tue, May 10, 2005 14:55, Ulf Harnhammar wrote:
> Protecting against this type of attack is much more complicated than
> this. As Jeroen noted, HTML entities are interpreted, so you have to
> protect against things like "jav&#97;script:". Some browsers allow varying
> amounts of whitespace inside protocols for some reason, so you have to
> protect against "java  scr ipt : ". Upper and lower characters may be an
> issue. Finally, some browsers including Mozilla store entities in integers
> so they wrap over and start again after 2**32.

So to conclude I think we have to resort to a whitelist of allowed protocols.
kses uses ('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'gopher',
'mailto') which seems like a reasonable list.


Thijs

Reply to:

References:
- Re: Bug#308282: [phpbb2 #308282] upstream patch
  - From: Ulf Harnhammar <metaur@telia.com>

Prev by Date: security for sarge?
Next by Date: Re: Votre demande N° [12176-1112233143]
Previous by thread: Re: Bug#308282: [phpbb2 #308282] upstream patch
Next by thread: Security status of orphaned woody packages when upgraded to sarge?
Index(es):
- Date
- Thread