From wdlists@gmail.com Mon Jan 23 17:14:53 2012
From: Walt Daniels <wdlists@gmail.com>
To: development@drupal.org
Subject:
 [development] html attributes not filtered and the effect of not	filtering
Date: Mon, 23 Jan 2012 12:14:52 -0500
Message-ID:
 <CALZ-9dUyOdzYaYxkAZGXYu0=xFN-rEAtneXeQZZb1kgHtLYX6w@mail.gmail.com>
In-Reply-To:
 <CALZ-9dW8gSuJJdats+sjY4r1kj-RPhT3Yry1QUArtmJORkQORw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7846646374347345219=="

--===============7846646374347345219==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

We had the following spam posted as a comment (modified to eliminate bad
words).

<div class="content">
<p>This height should be a beautiful place and the air must be really
cool.</p>
<ul id="clean-url" class="install">
<li>Video de femmes avec ... <a href="http://www.example.com">bad site</a>
en vidéo</li>
</ul>
</div>

This is using some css in the standard Drupal css to suppress the
visibility of the bad stuff. Filtered html does not get rid of this. (We
allow Filtered HTML in comments.) The result is that our spam checkers
don't see the spam. Incidentally Mollom did not flag it either although the
words in it, if in English, would probably have flagged it.

The result is that the bad site gets credit in search engines for a link
from another site and almost no one sees or clicks on the link. I think the
cloaking is also forbidden by Google, for instance, and they may penalize
our site.

----
Walt Daniels



--===============7846646374347345219==
Content-Type: text/html
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"
MIME-Version: 1.0

PHNwYW4gc3R5bGU+V2UgaGFkIHRoZSBmb2xsb3dpbmcgc3BhbSBwb3N0ZWQgYXMgYSBjb21tZW50
IChtb2RpZmllZCB0byBlbGltaW5hdGUgYmFkIHdvcmRzKS48L3NwYW4+PGRpdiBzdHlsZT48YnI+
PC9kaXY+PGRpdiBzdHlsZT48ZGl2PiZsdDtkaXYgY2xhc3M9JnF1b3Q7Y29udGVudCZxdW90OyZn
dDs8L2Rpdj48ZGl2PiZsdDtwJmd0O1RoaXMgaGVpZ2h0IHNob3VsZCBiZSBhIGJlYXV0aWZ1bCBw
bGFjZSBhbmQgdGhlIGFpciBtdXN0IGJlIHJlYWxseSBjb29sLiZsdDsvcCZndDs8L2Rpdj4KPGRp
dj4mbHQ7dWwgaWQ9JnF1b3Q7Y2xlYW4tdXJsJnF1b3Q7IGNsYXNzPSZxdW90O2luc3RhbGwmcXVv
dDsmZ3Q7PC9kaXY+PGRpdj4mbHQ7bGkmZ3Q7VmlkZW8gZGUgZmVtbWVzIGF2ZWMgLi4uICZsdDth
IGhyZWY9JnF1b3Q7PGEgaHJlZj0iaHR0cDovL3d3dy5leGFtcGxlLmNvbS8iIHRhcmdldD0iX2Js
YW5rIiBzdHlsZT0iY29sb3I6cmdiKDE3LDg1LDIwNCkiPmh0dHA6Ly93d3cuZXhhbXBsZS5jb208
L2E+JnF1b3Q7Jmd0O2JhZCBzaXRlJmx0Oy9hJmd0OyBlbiB2aWTpbyZsdDsvbGkmZ3Q7PC9kaXY+
CjxkaXY+Jmx0Oy91bCZndDs8L2Rpdj48ZGl2PiZsdDsvZGl2Jmd0OzwvZGl2PjxkaXY+PGJyPjwv
ZGl2PjxkaXY+PGZvbnQgY29sb3I9IiMyMjIyMjIiIGZhY2U9ImFyaWFsLCBzYW5zLXNlcmlmIj5U
aGlzIGlzIHVzaW5nIHNvbWUgY3NzIGluIHRoZSBzdGFuZGFyZCBEcnVwYWwgY3NzIHRvoDwvZm9u
dD48Zm9udCBjb2xvcj0iIzIyMjIyMiIgZmFjZT0iYXJpYWwsIHNhbnMtc2VyaWYiPnN1cHByZXNz
IHRoZSB2aXNpYmlsaXR5IG9mIHRoZSBiYWQgc3R1ZmYuIEZpbHRlcmVkIGh0bWwgZG9lcyBub3Qg
Z2V0IHJpZCBvZiB0aGlzLiAoV2UgYWxsb3cgRmlsdGVyZWQgSFRNTCBpbiBjb21tZW50cy4pIFRo
ZSByZXN1bHQgaXMgdGhhdCBvdXIgc3BhbSBjaGVja2VycyBkb24mIzM5O3Qgc2VlIHRoZSBzcGFt
LiBJbmNpZGVudGFsbHkgTW9sbG9tIGRpZCBub3QgZmxhZyBpdCBlaXRoZXIgYWx0aG91Z2ggdGhl
IHdvcmRzIGluIGl0LCBpZiBpbiBFbmdsaXNoLCB3b3VsZCBwcm9iYWJseSBoYXZlIGZsYWdnZWQg
aXQuPC9mb250Pjxmb250IGNvbG9yPSIjMjIyMjIyIiBmYWNlPSJhcmlhbCwgc2Fucy1zZXJpZiI+
oDwvZm9udD48L2Rpdj4KPGRpdj48Zm9udCBjb2xvcj0iIzIyMjIyMiIgZmFjZT0iYXJpYWwsIHNh
bnMtc2VyaWYiPjxicj48L2ZvbnQ+PC9kaXY+PGRpdj48Zm9udCBjb2xvcj0iIzIyMjIyMiIgZmFj
ZT0iYXJpYWwsIHNhbnMtc2VyaWYiPlRoZSByZXN1bHQgaXMgdGhhdCB0aGUgYmFkIHNpdGUgZ2V0
cyBjcmVkaXQgaW4gc2VhcmNoIGVuZ2luZXMgZm9yIGEgbGluayBmcm9tIGFub3RoZXIgc2l0ZSBh
bmQgYWxtb3N0IG5vIG9uZSBzZWVzIG9yIGNsaWNrcyBvbiB0aGUgbGluay4gSSB0aGluayB0aGUg
Y2xvYWtpbmcgaXMgYWxzbyBmb3JiaWRkZW4gYnkgR29vZ2xlLCBmb3IgaW5zdGFuY2UsIGFuZCB0
aGV5IG1heSBwZW5hbGl6ZSBvdXIgc2l0ZS48L2ZvbnQ+PC9kaXY+CjxkaXY+PGZvbnQgY29sb3I9
IiMyMjIyMjIiIGZhY2U9ImFyaWFsLCBzYW5zLXNlcmlmIj48YnI+PC9mb250PjwvZGl2PjxkaXY+
PGZvbnQgY29sb3I9IiMyMjIyMjIiIGZhY2U9ImFyaWFsLCBzYW5zLXNlcmlmIj4tLS0tPC9mb250
PjwvZGl2PjxkaXY+PGZvbnQgY29sb3I9IiMyMjIyMjIiIGZhY2U9ImFyaWFsLCBzYW5zLXNlcmlm
Ij5XYWx0IERhbmllbHM8L2ZvbnQ+PC9kaXY+PC9kaXY+Cg==

--===============7846646374347345219==--