I am trying to make it an "intelligent" filter, in the sense of not just plainly removing the <OBJECT> tags from the page, but to look into the actual object to determine what it is and see if it is whitelisted, e.g. it will filter out Activex but let thru Flash...
Reading the W3C recommendations for HTML 4.0, it appears the codetype or type attributes of an object determine what type it is. However, I can imagine the bad guys wouldn't rely on them... As far as I understand the way IE works, I should go for the "clsid" as it determines via registry which control to start. My idea would be to deny every object tag except the value of classid which is whitelisted. Besides classid="clsid:..." I believe you can also embed e.g. java applets using the syntax classid="java:...". So the whitelist would check object's classid attribute as a whole and maybe even allow patterns (java:*). What do you experts think? Is this do-able? Are there any other ways to start ActiveX - e.g. through other object attributes?
Another problem I am facing is to find websites with built-in ActiveX code so I can examine the page source and check what types/classid they use. If you know of any, please send URL(s).
Any other ideas/suggestions would also be very welcome.
Many Thanks in advance,
July 22, 2005 6:27 AM
July 28, 2005 6:57 PM