[Dev] Re: [Design] Obvious Scripting Security Notes

Bill de hÓra dehora at eircom.net
Mon Nov 4 04:14:07 PST 2002


Mike C. Fletcher wrote:
> I have to jump in here as a design/visual person.  I use _images_ in 
> HTML mail all the time when doing graphic design work.  [...]
> 
> On the other hand, _code_ executed from a source unknown, is just a hole 
> waiting to happen.  


Then you need to make a careful, but possibly arbitrary distinction 
between code and media. From one point of view images are code, or 
at the very least can configure the client code to do something. 
Flash MX is a good example of blurring the boundary - an image that 
can make RPC calls.

Perhaps one approach to this are the use of mimetypes to determine 
what can and can't be executed in Chandler.


> There's very little legitimate usage of it in email 
> that I've seen.  

I not sure about that - turning URLs into clickable links seems to 
be a very common use.

Bill de hÓra




More information about the Dev mailing list