[Mimedefang] HTML Exploits
Kenneth Porter
shiva at sewingwitch.com
Fri May 4 20:05:36 EDT 2007
On Saturday, May 05, 2007 12:36 AM +0100 Rob MacGregor
<rob.macgregor at gmail.com> wrote:
> how thorough is their code? Will it simply catch ASCII or any of
> the dozens (if not hundreds) of ways of abusing UNICODE, or will it
> mangle emails that simply have <script> in them (like this one)?
It's worse than that. It also needs to simulate all the bugs and all the
special permissive "features" (ie. workarounds for bad HTML) in all
versions of Outlook parsers that allow some of these exploits to get
through.
Another approach is to run a validator against what you receive and reject
anything judged invalid.
I don't mind HTML in email. I mind *abuses* of HTML. (JavaScript is just
one of many such abuses.) A validator should address that.
More information about the MIMEDefang
mailing list