1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
$Cambridge: hermes/src/prayer/docs/SECURITY,v 1.2 2008/09/16 09:59:56 dpc22 Exp $
text/HTML model implemented by sqwebmail and adopted by Prayer
Browser Security - HTML
SqWebMail has the ability to display HTML E-mail, which leads to
several complicated situations regarding embedded Javascript or Java
applets that try to grab the mailboxid of the recipient (amongst other
things). SqWebMail attempts to remove all forms of scripting from HTML
E-mail as follows:
* The following HTML tags are removed: <SCRIPT>, </SCRIPT>, <APP>,
</APP>, <APPLET>, </APPLET>, <SERVER>, </SERVER>, <OBJECT>,
</OBJECT>, <HTML>, </HTML>, <HEAD>, </HEAD>, <BODY>, </BODY>,
<META>, <TITLE>, </TITLE>, <FRAME>, </FRAME>, <LINK>, <IFRAME> and
</IFRAME>.
* The following HTML attributes are stripped from every tag:
ONLOAD=, ONMOUSEOVER=, and all ON*= attributes; TARGET=, CODE=,
CODETYPE=, and LANGUAGE= are removed; TARGET=_blank is added to
all <A> tags.
* The HREF and SRC attributes are stripped, unless the URL starts
with one of the following: http:, https:, ftp:, gopher:, wais:, or
telnet, and cid:.
* The HREF and SRC attribute values are prefixed with a URL that
will resolve to SqWebMail, and with an additional TARGET="_blank"
attribute. A request to that resulting URL will result in a blank
page with a 0-second refresh to the original URL. This method
strips mailbox IDs from Referer: tags sent to external web site.
If the HREF attribute starts with a cid:, it is replaced by an
http: reference to SqWebMail that will return the specified MIME
part.
* IMG tags are removed and replaced with an A tag, in order to keep
the HTTP client from automatically loading any images from
external web sites, upon opening a given message.
|
