[Mimedefang] HTML Exploits

Kenneth Porter shiva at sewingwitch.com
Fri May 4 20:05:36 EDT 2007


On Saturday, May 05, 2007 12:36 AM +0100 Rob MacGregor 
<rob.macgregor at gmail.com> wrote:

> how thorough is their code?  Will it simply catch ASCII or any of
> the dozens (if not hundreds) of ways of abusing UNICODE, or will it
> mangle emails that simply have <script> in them (like this one)?

It's worse than that. It also needs to simulate all the bugs and all the 
special permissive "features" (ie. workarounds for bad HTML) in all 
versions of Outlook parsers that allow some of these exploits to get 
through.

Another approach is to run a validator against what you receive and reject 
anything judged invalid.

I don't mind HTML in email. I mind *abuses* of HTML. (JavaScript is just 
one of many such abuses.) A validator should address that.


More information about the MIMEDefang mailing list