[prev in list] [next in list] [prev in thread] [next in thread]
List: kopete-devel
Subject: Re: [kopete-devel] [PATCH] Incoming file transfer in chat window
From: "Roman Jarosz" <roman.jarosz () gmail ! com>
Date: 2008-08-20 18:48:19
Message-ID: op.uf67utvwrj95b0 () localhost
[Download RAW message or body]
On Wed, 20 Aug 2008 18:36:01 +0200, Joshua J. Berry <des@condordes.net> wrote:
> On Wednesday 20 August 2008 07:50:05 Martijn Klingens wrote:
> ...
>> Back to Kopete, depending on the protocol, incoming messages are added
>> to
>> the raw HTML, making the risk that at least one protocol inadvertedly
>> allows injection of scripts quite real.
>>
>> That said, Javascript provides a load of features indeed. If there is
>> some
>> way to ensure that no incoming message can *ever* enter the system with
>> means to inject Javascript (or embed iframes with Java, or whatever),
>> then
>> turning it on might actually make sense.
>
> I agree. Turning on JavaScript is a very dangerous thing, and should be
> thought through very carefully before it is done. There are far too many
> creative ways to abuse it that will be thought of by people smarter than
> you
> or I.
>
> At the very least, you will have to scrub incoming messages clean very
> carefully.
>
> If it were me, I'd almost prefer to not open that can of worms without a
> very
> compelling reason. I think we should try to find a way to do the file
> transfer stuff without JavaScript.
IMHO there isn't any other way if we want to use FileTransferRequest.html
from Adium chat styles because onClick event is JavaScript event.
It can be done with <a href="" > but then it will only work for Kopete chat
styles.
IIRC all messages are escaped before they are inserted into chat so IMHO
the malicious code can be only in style.
I'm for turning on JavaScript and be compatible with Adium styles but there
isn't problem to make it work without JS.
Regards,
Roman
_______________________________________________
kopete-devel mailing list
kopete-devel@kde.org
https://mail.kde.org/mailman/listinfo/kopete-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic