[Dev] Re: [Design] Obvious Scripting Security Notes

wayne at mishre.com wayne at mishre.com
Wed Nov 6 07:03:42 PST 2002

Quoting "S. Mike Dierken" <mdierken at hotmail.com>:

> I feel the same as you regarding the importance of security at the scripting
> layer. But I think HTML is used for more than spam - mainly rich text
> messages. I often correspond in a business setting using boldface text,
> colors, indenting, bullet points, etc.
> It would be nice to know what actual uses of rich text end-users actually
> use and need.
> It may be possible to support a subset of HTML for just text markup
> (probably a profile of XHTML) using a Content-Type header, and then to be
> rude to the past, launch an external helper app (like IE) for the old HTML
> stuff. If there are security concerns, let them fall back on MS.

How about a pre-processing plug-in that strips out the insecure HTML.  Rather
than the usual backwards approach of listing what is bad, we list what is
allowed and the rest is removed.

Something like this could have different levels of paranoia, each reflected in a
different list of allowed RegEx patterns.

On the issue of spam, why not have the MTA generate an digital signature on a
per-site basis.  Then you can publish the public key for end users to download.
 This way the client can ensure a message from @yahoo.com is in fact from
Yahoo's mail server and not a forged message.

..a bit off topic,


Wayne Pierce
wayne at mishre.com

New England Information Security Users Group ("NEISUG")

More information about the Dev mailing list