[prev in list] [next in list] [prev in thread] [next in thread]
List: kopete-devel
Subject: Re: [kopete-devel] [PATCH] Incoming file transfer in chat window
From: Michal Svec <rebel () atrey ! karlin ! mff ! cuni ! cz>
Date: 2008-08-22 15:00:51
Message-ID: Pine.LNX.4.64.0808221656460.22754 () atrey ! karlin ! mff ! cuni ! cz
[Download RAW message or body]
On Wed, 20 Aug 2008, Roman Jarosz wrote:
> On Wed, 20 Aug 2008 18:36:01 +0200, Joshua J. Berry <des@condordes.net> wrote:
>
>> On Wednesday 20 August 2008 07:50:05 Martijn Klingens wrote:
>> ...
>>> Back to Kopete, depending on the protocol, incoming messages are added
>>> to
>>> the raw HTML, making the risk that at least one protocol inadvertedly
>>> allows injection of scripts quite real.
>>>
>>> That said, Javascript provides a load of features indeed. If there is
>>> some
>>> way to ensure that no incoming message can *ever* enter the system with
>>> means to inject Javascript (or embed iframes with Java, or whatever),
>>> then
>>> turning it on might actually make sense.
>>
>> I agree. Turning on JavaScript is a very dangerous thing, and should be
>> thought through very carefully before it is done. There are far too many
>> creative ways to abuse it that will be thought of by people smarter than
>> you or I.
>>
>> At the very least, you will have to scrub incoming messages clean very
>> carefully.
>>
>> If it were me, I'd almost prefer to not open that can of worms without a
>> very
>> compelling reason. I think we should try to find a way to do the file
>> transfer stuff without JavaScript.
>
> IMHO there isn't any other way if we want to use FileTransferRequest.html
> from Adium chat styles because onClick event is JavaScript event.
> It can be done with <a href="" > but then it will only work for Kopete chat
> styles.
>
> IIRC all messages are escaped before they are inserted into chat so IMHO
> the malicious code can be only in style.
>
> I'm for turning on JavaScript and be compatible with Adium styles but there
> isn't problem to make it work without JS.
There's also a possibility to make this option available, but turned off
by default and document the need to turn it on for those who want to use
Adium styles (which is IMHO by far not everybody).
That way we can document this option is dangerous and it would also limit
the impact in case of an issue.
This is, given the really need it. I agree with others these doors should
be better closed, it's too thin ice that it's almost certain there would
be an issue.
Michal
_______________________________________________
kopete-devel mailing list
kopete-devel@kde.org
https://mail.kde.org/mailman/listinfo/kopete-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic