[rt-users] Better e-mail message display in RT3

Niels Bakker niels=rt at bakker.net
Thu Oct 28 18:53:02 EDT 2004


* daniel at digsys.bg (Daniel Kalchev) [Thu 28 Oct 2004, 16:08 CEST]:
> Where is this handled and has someone worked on prettyfying RT3 as it
> comes to it's e-mail display?

Displaying HTML as sent by a user to your ticketing system is a huge
security hole.  For example, it could contain some JavaScript that would
send your authentication cookie to the attacker.  Or contain enough
invalid HTML to hang or crash your browser (recently a slew of such
remotely exploitable vulnerabilities in about all browsers have been
uncovered).

So, I'm sorry, but there is no easy answer to your question.  Filtering
for <script lang="javascript">-style tags has been tried by other people
(e.g. Yahoo! and Hotmail), and it turns out that this nigh impossible:
<img src="image" onMouseOver="javascript:..."> is one example how it
could be possible to sneak active code into a user's browser.  And then
it turns out you can unicode-escape some characters in the word
`javascript', so the list of possible holes in such a filter just goes
on and on...


	-- Niels.

-- 
Today's subliminal thought is: 



More information about the rt-users mailing list