Hi, Am Dienstag 18 April 2023 04:55:35 schrieb Lisandro Damián Nicanor Pérez Meyer: > On Mon, 17 Apr 2023 at 12:34, Bernhard Reiter <bernh...@intevation.de> wrote:
> > Konqueror is advertised as web browser, which means it will (offer to) > > open URLs from different sources, e.g. when clicked from emails which > > means external URLs and data. > > Same goes with KMail too :-) not really, KMail protects against just displaying external HTML code from mails, you need to explicitely enable it, e.g. by clicking. > Whatever uses webengine/webkit/<web engine of the day> has the same > issue. Well, for as long as they are a pile of embedded code, at least > to start with. Only if they are exposed to unfiltered external data and having active code elements enabled like <script>, I think some usage is for displaying packaged documentation. [..] > Same thing I said when I opposed packaging webengine, you see :-) But > now it is packaged, and here we are :) Qt5/6 Webengine is security maintained by upstream. It is like Firefox and Chromium, it is just a matter of packaging find a way to deal with it, isn't it? > > What would be the right place in debian to bring this up? > > Debian devel, maybe? But I did ask the same thing years ago. The reply > was "what is the difference with a PDF?" Whatever handles untrusted > code has the same issue. The situation may have changed meanwhile and it is inconsistent within Debian. The PDF engines are not listed in https://salsa.debian.org/debian/debian-security-support/-/blob/master/security-support-limited and Firefox and Chromium are not either. All are as security maintained as qtwebengine-opensource-src, but not considered of limited security support. So there are differences already within Debian. Thanks for your response again, I'll if I can find the time to write to debian devel. Regards Bernhard
signature.asc
Description: This is a digitally signed message part.