[Dev] Re: [Design] Obvious Scripting Security Notes
Jack Bell
jackb at sff.net
Mon Nov 4 04:31:43 PST 2002
Tony Bowden <tony-osadev at kasei.com> said
> On Sun, Nov 03, 2002 at 11:14:23PM -0600, Jack Bell wrote:
> > BTW: I would agree about the embedded java$cript in email. Serves no purpose
> > you can't also serve by sending a link to a web page. But formatting mail
> > as HTML should certainly be allowed.
>
> Practically, how is this done?
>
> Is it a matter of scanning the mail for scripts and removing them from
> the HTML before displaying? Or can they be neutered in some other way?
That would work. Or, because Gecko is being used to display HTML, you just turn
off Javascript support in that particular instance.
> How will this impact on mail that's been PGP signed etc.
In the first instance you only munge/remove the script before you display it,
you store and check PGP against the original copy. In the second this isn't an
issue. When exporting the message you provide an option to strip scripts (and
make it default).
Jack William Bell
More information about the Dev
mailing list