Le vendredi 22 août 2008, Michal Svec a écrit : > On Wed, 20 Aug 2008, Roman Jarosz wrote: > > On Wed, 20 Aug 2008 18:36:01 +0200, Joshua J. Berry <[EMAIL PROTECTED]> wrote:
> > IMHO there isn't any other way if we want to use FileTransferRequest.html > > from Adium chat styles because onClick event is JavaScript event. > > It can be done with <a href="" > but then it will only work for Kopete > > chat styles. > > > > IIRC all messages are escaped before they are inserted into chat so IMHO > > the malicious code can be only in style. > > > > I'm for turning on JavaScript and be compatible with Adium styles but > > there isn't problem to make it work without JS. > > There's also a possibility to make this option available, but turned off > by default and document the need to turn it on for those who want to use > Adium styles (which is IMHO by far not everybody). > > That way we can document this option is dangerous and it would also limit > the impact in case of an issue. > > This is, given the really need it. I agree with others these doors should > be better closed, it's too thin ice that it's almost certain there would > be an issue. You can have javascript if you do the call programatically i think. Enabling javascript mean that malicious user could send messages with javascript that d creative stuff (accepting automatically file transfer, modify the content of a group chat, spoofing...) It is very difficult to escape correctly javascript for protocol that support html. (you can always find creative way to workaround blacklists.) I think that by default, the Jabber protocol doesn't escape javascript. I'm very opposed to enable javascript
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ kopete-devel mailing list [email protected] https://mail.kde.org/mailman/listinfo/kopete-devel
