[prev in list] [next in list] [prev in thread] [next in thread]
List: kopete-devel
Subject: Re: [kopete-devel] [PATCH] Incoming file transfer in chat window
From: Olivier Goffart <ogoffart () kde ! org>
Date: 2008-08-25 19:08:47
Message-ID: 200808252108.54120.ogoffart () kde ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Le vendredi 22 août 2008, Michal Svec a écrit :
> On Wed, 20 Aug 2008, Roman Jarosz wrote:
> > On Wed, 20 Aug 2008 18:36:01 +0200, Joshua J. Berry <des@condordes.net>
wrote:
> > IMHO there isn't any other way if we want to use FileTransferRequest.html
> > from Adium chat styles because onClick event is JavaScript event.
> > It can be done with <a href="" > but then it will only work for Kopete
> > chat styles.
> >
> > IIRC all messages are escaped before they are inserted into chat so IMHO
> > the malicious code can be only in style.
> >
> > I'm for turning on JavaScript and be compatible with Adium styles but
> > there isn't problem to make it work without JS.
>
> There's also a possibility to make this option available, but turned off
> by default and document the need to turn it on for those who want to use
> Adium styles (which is IMHO by far not everybody).
>
> That way we can document this option is dangerous and it would also limit
> the impact in case of an issue.
>
> This is, given the really need it. I agree with others these doors should
> be better closed, it's too thin ice that it's almost certain there would
> be an issue.
You can have javascript if you do the call programatically i think.
Enabling javascript mean that malicious user could send messages with
javascript that d creative stuff
(accepting automatically file transfer, modify the content of a group chat,
spoofing...)
It is very difficult to escape correctly javascript for protocol that support
html. (you can always find creative way to workaround blacklists.)
I think that by default, the Jabber protocol doesn't escape javascript.
I'm very opposed to enable javascript
["signature.asc" (application/pgp-signature)]
_______________________________________________
kopete-devel mailing list
kopete-devel@kde.org
https://mail.kde.org/mailman/listinfo/kopete-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic