[Esd-l] FYI: CNN uses remotely-loaded scripting in HTML QuickNews emails

John D. Hardin jhardin at impsec.org
Tue Sep 4 07:34:02 PDT 2001 

Just thought everyone should know. 

I got a complaint that the sanitizer was disabling CNN News emails, so
I subscribed to see what was going on. 

Pine doesn't have a problem displaying their HTML format alerts, but
they use style tags and (shudder) iframes and scripts downloaded from
cnn.com which, when defanged, may render the mail illegible in a
Windows mail client.

Example:

  <DEFANGED_IFRAME WIDTH=468 HEIGHT=60 BORDER=0 MARGINWIDTH=0
  MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no
  BORDERCOLOR="#990000"
  SRC="http://victory.cnn.com/html.ng/Origin=cnn&PagePos=1&Section=cnnquickmailmain&Size=468x60&SpaceDesc=/ads/NG/cnnquickmailmain">
  <DEFANGED_SCRIPT LANGUAGE="JavaScript1.1"
  SRC="http://victory.cnn.com/js.ng/Params.richmedia=yes&Origin=cnn&PagePos=1&Section=cnnquickmailmain&Size=468x60&SpaceDesc=/ads/NG/cnnquickmailmain">
  </SCRIPT><NOSCRIPT>
  <A HREF = "http://victory.cnn.com/click.ng/Params.richmedia=yes&Origin=cnn&PagePos=1&Section=cnnquickmailmain&Size=468x60&SpaceDesc=/ads/NG/cnnquickmailmain&uniqueID=XXXXX" target="_top">
  <DEFANGED_IMG
  SRC="http://victory.cnn.com/image.ng/Params.richmedia=yes&Origin=cnn&PagePos=1&Section=cnnquickmailmain&Size=468x60&SpaceDesc=/ads/NG/cnnquickmailmain&uniqueID=XXXXX" HEIGHT="60" WIDTH="468" border=0>
  </A></NOSCRIPT></IFRAME>

We may want merge our voices and complain to CNN that scripted email
with remotely-downloaded scripts is evil, and they should stop using
it.

Alternatively, if you trust them, you could add something like:

 :0
 * ^Message-ID:.*@lists.cnn.com>
 * ^Received:.*\(lists.cnn.com \[
 * ^List-Unsubscribe:.*@lists.cnn.com>
 {
   SECURITY_TRUST_HTML=Y
 }

...before calling the sanitizer.

--
 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at impsec.org        pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  In 1998 more than three times as many people in the US were killed
  by incompetent physicians than were killed by handguns, yet the
  President of the A.M.A. is adopting "gun safety" as his platform.
-----------------------------------------------------------------------
   1155 days until the Presidential Election

More information about the esd-l mailing list