Securing HTML vs securing HTTP
Jens Alfke
jens at mooseyard.com
Mon Jan 23 19:48:43 UTC 2006
On 23 Jan '06, at 10:52 AM, Brad Fitzpatrick wrote:
> Likewise, the Perl implementation ignores everything past the </head>.
How does it find the end of the head element? Is it using a full HTML
parser? If not, is it smart enough recognize </HEAD> or </ HEAD> or
any other accepted syntax?
There's also the issue of CDATA in the page title:
<html>
<head>
<title><![CDATA[GullibleWiki -- Muahaha rel="openid.server"
href="http://evil.net/openid/">]]>
</title>
</head>
In this case the attacker used a wiki-like app to create a page whose
title contains an OpenID link. An OpenID client that didn't
understand CDATA would think this page represented a valid identity.
It might be good to have a test suite of pages like my examples that
try to fool the link detector.
> Presumably blog/CMS software is safer with its global template than
> the stuff inside the body.
Yes, in that the admin has to install a plugin or theme to alter it.
Of course, people tend to be pretty cavalier about installing themes
— they're thinking more about aesthetics than security. In the case
of Drupal, themes unfortunately get to generate all of the HTML
including the <head>. Not sure about other CMS/blog engines.
--Jens
More information about the yadis
mailing list