Does this mean that the "view page source" link that comes up when the anonymity doesn't work in IE?
Perhaps a better approach is to treat the detection of *any* html in a text/plain document as a potential threat and warn the user (being careful to modify the "View page source" link since it would likely be ineffective). Ian. On Mon, Sep 02, 2002 at 08:06:44PM +0100, Matthew Toseland wrote: > If you insert a page of HTML as text/plain, it will not be filtered, > being a 'safe' content-type. However, M$IE (tested a fairly recent > version - somewhere between 5 and 6 inclusive), will recognize the HTML, > and render it. So... we need to have loud warnings not to use IE, all > over the place, in the README, but especially, we need fproxy to scan > for IE's header signature, and if detected bring up a clickthrough page > (like for new build versions, make it a bit more stubborn - force users > to copy a URL into the address bar by hand would do it), explaining all > this if it detects M$IE using it. Alternatively, we could filter out bad > HTML/CSS regardless of the supposed MIME type. -- Ian Clarke [EMAIL PROTECTED] Founder & Coordinator, The Freenet Project http://freenetproject.org/ Chief Technology Officer, Uprizer Inc. http://www.uprizer.com/ Personal Homepage http://locut.us/
msg03757/pgp00000.pgp
Description: PGP signature
