lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index] 

> This is a bug in IE6. No wonder Drupal performance is so slow if they
> filter every content through a unicode regular expression just to make
> sure it will not break IE6 :)

I actually agree with Fernando on this. (The good news is that the fix
is fairly simple - see below.)

While XSS attacks are almost always based on browser bugs, the issue
goes beyond breaking IE6 for those unfortunately enough to use it. As
I understand, this particular bug in IE6 means that IE6 can see (and
execute) Javascript while a different parser (e.g., the XSS filter)
will see different markup, well-formed and compliant. This may
potentially make it possible for the attacker to connect the site with
victim's credentials, doing things that would affect other users, even
those not using IE. There was an XSS worm on Reddit just two weeks
ago. That one was caused by simpler issues (Reddit just wasn't
filtering javascript well enough, apparently relying on black-listing
rather than white-listing). But I think the concern is valid at least
for some sites.

I think this decision should be ultimately left to the site
administrator, but I added utf8 validation to XSSFilter[1]. Since this
requires a C library (iconv), I decided to turn it on and off based on
whether iconv is available. (So, if you want to enable it, you just
need to install iconv.) This check takes almost no time (.0001 second
per I request it seems) and there is an easy way to disable XSSFilter
in Sputnik.

The updated XSSFilter code:

http://gitorious.org/sputnik/mainline/blobs/master/xssfilter/lua/xssfilter.lua

- yuri

[1]: http://sputnik.freewisdom.org/lib/xssfilter/