On Sun, 2004-01-11 at 12:07, guenther wrote: > What you just where referring to in your OP, is a widespread method to > only fool braindead users -- or users who do not see the target URL at > all (sic, Evolution <= 1.4.x). > > This is similar to <a href="http://evil.site.com";>saint</a>, where the > user only will see the text "saint" *inside* the message. This is just > plain HTML and *must* be this way. Anything else would be dead wrong. > > > Any sensitive Browser and Mailer will show the target link in the > statusbar, while the mouse is over the link. > > Evolution 1.4.x does not do this. Evolution 1.5.x does it, but I don't > know if it may fail. IE does show it, but it *decodes* the target URL > and may display only parts of it when certain strings (like the %01) are > a part of the target URL (the href value). > > > Hope, this explained the issue. We still do not know how Evolution 1.5.x > will actually *display* the target URL in the status bar when handling > your attached message.
It should probably show "http://[EMAIL PROTECTED]:80/gb/servin.php" as the target url. Or it may just not decode the encoded characters, and display the ridiculously long string of "%01%01..." Either way, it's not a security hole. More like another form of indirection, kind of like when calling tech support for an ISP or such. :) And even if you *do* click on the link, the browser should either not work or display the url you will end up at. However, breaking a standard in order to waste a bunch of space on an HTML page so the full url can be displayed in the HTML renderer, is silly. -- dobey _______________________________________________ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers
