From kopete-devel Mon Aug 25 19:08:47 2008 From: Olivier Goffart Date: Mon, 25 Aug 2008 19:08:47 +0000 To: kopete-devel Subject: Re: [kopete-devel] [PATCH] Incoming file transfer in chat window Message-Id: <200808252108.54120.ogoffart () kde ! org> X-MARC-Message: https://marc.info/?l=kopete-devel&m=121969197505469 MIME-Version: 1 Content-Type: multipart/mixed; boundary="--===============1780891679==" --===============1780891679== Content-Type: multipart/signed; boundary="nextPart1591228.2LEf1o76ZF"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit --nextPart1591228.2LEf1o76ZF Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Le vendredi 22 ao=FBt 2008, Michal Svec a =E9crit=A0: > On Wed, 20 Aug 2008, Roman Jarosz wrote: > > On Wed, 20 Aug 2008 18:36:01 +0200, Joshua J. Berry = =20 wrote: > > IMHO there isn't any other way if we want to use FileTransferRequest.ht= ml > > from Adium chat styles because onClick event is JavaScript event. > > It can be done with but then it will only work for Kopete > > chat styles. > > > > IIRC all messages are escaped before they are inserted into chat so IMHO > > the malicious code can be only in style. > > > > I'm for turning on JavaScript and be compatible with Adium styles but > > there isn't problem to make it work without JS. > > There's also a possibility to make this option available, but turned off > by default and document the need to turn it on for those who want to use > Adium styles (which is IMHO by far not everybody). > > That way we can document this option is dangerous and it would also limit > the impact in case of an issue. > > This is, given the really need it. I agree with others these doors should > be better closed, it's too thin ice that it's almost certain there would > be an issue. You can have javascript if you do the call programatically i think. Enabling javascript mean that malicious user could send messages with=20 javascript that d creative stuff (accepting automatically file transfer, modify the content of a group chat= , =20 spoofing...) It is very difficult to escape correctly javascript for protocol that suppo= rt=20 html. (you can always find creative way to workaround blacklists.) I think that by default, the Jabber protocol doesn't escape javascript. I'm very opposed to enable javascript --nextPart1591228.2LEf1o76ZF Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQBIswM/z58lY8jWrL0RAvotAJ0dWcGv8xjW0u+xIT7oY99vq5BvhQCcDyow Zs58CcRs0BDucMRC0d+/1yg= =5tP7 -----END PGP SIGNATURE----- --nextPart1591228.2LEf1o76ZF-- --===============1780891679== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ kopete-devel mailing list kopete-devel@kde.org https://mail.kde.org/mailman/listinfo/kopete-devel --===============1780891679==--