On Wed, 20 Aug 2008 18:36:01 +0200, Joshua J. Berry <[EMAIL PROTECTED]> wrote:
> On Wednesday 20 August 2008 07:50:05 Martijn Klingens wrote: > ... >> Back to Kopete, depending on the protocol, incoming messages are added >> to >> the raw HTML, making the risk that at least one protocol inadvertedly >> allows injection of scripts quite real. >> >> That said, Javascript provides a load of features indeed. If there is >> some >> way to ensure that no incoming message can *ever* enter the system with >> means to inject Javascript (or embed iframes with Java, or whatever), >> then >> turning it on might actually make sense. > > I agree. Turning on JavaScript is a very dangerous thing, and should be > thought through very carefully before it is done. There are far too many > creative ways to abuse it that will be thought of by people smarter than > you > or I. > > At the very least, you will have to scrub incoming messages clean very > carefully. > > If it were me, I'd almost prefer to not open that can of worms without a > very > compelling reason. I think we should try to find a way to do the file > transfer stuff without JavaScript. IMHO there isn't any other way if we want to use FileTransferRequest.html from Adium chat styles because onClick event is JavaScript event. It can be done with <a href="" > but then it will only work for Kopete chat styles. IIRC all messages are escaped before they are inserted into chat so IMHO the malicious code can be only in style. I'm for turning on JavaScript and be compatible with Adium styles but there isn't problem to make it work without JS. Regards, Roman _______________________________________________ kopete-devel mailing list [email protected] https://mail.kde.org/mailman/listinfo/kopete-devel
