'[development] html attributes not filtered and the effect of not filtering'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       drupal-development
Subject:    [development] html attributes not filtered and the effect of not filtering
From:       Walt Daniels <wdlists () gmail ! com>
Date:       2012-01-23 17:14:52
Message-ID: CALZ-9dUyOdzYaYxkAZGXYu0=xFN-rEAtneXeQZZb1kgHtLYX6w () mail ! gmail ! com
[Download RAW message or body]

We had the following spam posted as a comment (modified to eliminate bad
words).

<div class="content">
<p>This height should be a beautiful place and the air must be really
cool.</p>
<ul id="clean-url" class="install">
<li>Video de femmes avec ... <a href="http://www.example.com">bad site</a>
en vidéo</li>
</ul>
</div>

This is using some css in the standard Drupal css to suppress the
visibility of the bad stuff. Filtered html does not get rid of this. (We
allow Filtered HTML in comments.) The result is that our spam checkers
don't see the spam. Incidentally Mollom did not flag it either although the
words in it, if in English, would probably have flagged it.

The result is that the bad site gets credit in search engines for a link
from another site and almost no one sees or clicks on the link. I think the
cloaking is also forbidden by Google, for instance, and they may penalize
our site.

----
Walt Daniels

[Attachment #3 (text/html)]

<span style>We had the following spam posted as a comment (modified to eliminate bad \
words).</span><div style><br></div><div style><div>&lt;div \
class=&quot;content&quot;&gt;</div><div>&lt;p&gt;This height should be a beautiful \
place and the air must be really cool.&lt;/p&gt;</div> <div>&lt;ul \
id=&quot;clean-url&quot; class=&quot;install&quot;&gt;</div><div>&lt;li&gt;Video de \
femmes avec ... &lt;a href=&quot;<a href="http://www.example.com/" target="_blank" \
style="color:rgb(17,85,204)">http://www.example.com</a>&quot;&gt;bad site&lt;/a&gt; \
en vidéo&lt;/li&gt;</div> \
<div>&lt;/ul&gt;</div><div>&lt;/div&gt;</div><div><br></div><div><font \
color="#222222" face="arial, sans-serif">This is using some css in the standard \
Drupal css to </font><font color="#222222" face="arial, sans-serif">suppress the \
visibility of the bad stuff. Filtered html does not get rid of this. (We allow \
Filtered HTML in comments.) The result is that our spam checkers don&#39;t see the \
spam. Incidentally Mollom did not flag it either although the words in it, if in \
English, would probably have flagged it.</font><font color="#222222" face="arial, \
sans-serif"> </font></div> <div><font color="#222222" face="arial, \
sans-serif"><br></font></div><div><font color="#222222" face="arial, sans-serif">The \
result is that the bad site gets credit in search engines for a link from another \
site and almost no one sees or clicks on the link. I think the cloaking is also \
forbidden by Google, for instance, and they may penalize our site.</font></div> \
<div><font color="#222222" face="arial, sans-serif"><br></font></div><div><font \
color="#222222" face="arial, sans-serif">----</font></div><div><font color="#222222" \
face="arial, sans-serif">Walt Daniels</font></div></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic