[prev in list] [next in list] [prev in thread] [next in thread]
List: kopete-devel
Subject: Re: [kopete-devel] [PATCH] Incoming file transfer in chat window
From: "Joshua J. Berry" <des () condordes ! net>
Date: 2008-08-20 16:36:01
Message-ID: 200808200936.08584.des () condordes ! net
[Download RAW message or body]
On Wednesday 20 August 2008 07:50:05 Martijn Klingens wrote:
...
> Back to Kopete, depending on the protocol, incoming messages are added to
> the raw HTML, making the risk that at least one protocol inadvertedly
> allows injection of scripts quite real.
>
> That said, Javascript provides a load of features indeed. If there is some
> way to ensure that no incoming message can *ever* enter the system with
> means to inject Javascript (or embed iframes with Java, or whatever), then
> turning it on might actually make sense.
I agree. Turning on JavaScript is a very dangerous thing, and should be
thought through very carefully before it is done. There are far too many
creative ways to abuse it that will be thought of by people smarter than you
or I.
At the very least, you will have to scrub incoming messages clean very
carefully.
If it were me, I'd almost prefer to not open that can of worms without a very
compelling reason. I think we should try to find a way to do the file
transfer stuff without JavaScript.
-- Josh
--
Joshua J. Berry
"I haven't lost my mind -- it's backed up on tape somewhere."
-- /usr/games/fortune
_______________________________________________
kopete-devel mailing list
kopete-devel@kde.org
https://mail.kde.org/mailman/listinfo/kopete-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic