Re: [draft-freed-sieve-in-xml-02] Escaping "*/" In Structured Comments

[Ned Freed <ned.freed@xxxxxxxxxxx>]

> Issue
> -----
> No discussion is made about the merits of escaping content which will
> be transformed into structured comments. For example, the following
> fragment might be used to smuggle content into the script:

> <displayblock><trouble>*/
> if header :contains "from" "enemy@xxxxxxxxxxx" {
>      discard;
> }
> /*</trouble></displayblock>

> Proposal
> --------
> To "4.2. Structured Comments" Add:

>  If "*/" is found in the XML content, when mapped into a comment it
>  would prematurely terminate that comment. Escaping of this sequence
>  would often be inconvenient for processors. Editors SHALL NOT include
>  "*/" within displayblock, displaydata or foreign markup. Processors MAY
>  regard documents containing "*/" in foreign markup, displayblock
>  or displaydata as invalid.

This seems like a reasonable restriction to document.

> To "5. Security Considerations" Add:

>  Little effective protection can be offered by a processor to the user
>  of a malicious editor.

Others have pointed out that this is a more general issue for Sieve and
not specific to this document. That said, the security considerations
section here really should point out that the trust conferred on editors
must also be conferred on XML conversion components. I'm going to add
a statement to that effect.

				Ned