[Haskell-cafe] Re: the Network.URI parser

Neil Mitchell ndmitchell at gmail.com
Tue May 27 07:08:19 EDT 2008


Moving to haskell-cafe, as this almost certainly isn't a library issue.

Hi

> It most certainly is a security flaw.

In the src of an img, yes, probably. In the href of a link, its a
completely valid thing to do - and one that I've done loads of times.
The URI is fine, its just the particular location that is dodgy.

> whole pile of dodgy URIs. Most get culled (in my case) by the HaXml parser
> and/or XHTML 1.0 Strict validation, and now I hope to eliminate the rest by
> carefully handling the URIs.

I don't think that's possible. A URI can validly have javascript, and
can validly be a lot of things which are unsafe.

> On that topic, does anyone have any good advice for handling these things?

My advice is that you are targeting security at the wrong level. You
shouldn't be cleaning the HTML to get a secure page, you should be
having the level that interprets the HTML be secure regardless of the
input.

> If anyone knows of the state-of-the-art in this area, I'd appreciate a
> pointer.
>
> http://htmlpurifier.org/live/smoketests/printDefinition.php
>
> doesn't seem to think the style attribute is unsafe. Have they not been
> following the MySpace fiascos?

Safety is a property of the HTML viewer, not of the HTML or CSS.

Thanks

Neil


More information about the Haskell-Cafe mailing list