22-Nov-99 08:46 Klaus Weide wrote:
> Have a look at this...
> <http://www.securityfocus.com/vdb/bottom.html?section=credit&vid=804>
! !^^^^^^^^
BTW, mail->html converter hosted at @sig.net will not convert such URL
properly: anchor address/text are between ! and ! but the rest path
happen to be outside of <a>...</a>, see source below:
<!-- X-URL: http://www.flora.org/lynx-dev/html/month1199/msg00544.html -->
Have a look at this...
<<A
HREF="http://www.securityfocus.com/vdb/bottom.html?section=credit">http://www.securityfocus.com/vdb/bottom.html?section=credit</A>&vid=804>
> That guy likes finding problems in lynx and not telling lynx-dev a word
> about it.
He was afraid posting to lynx-dev not being subscribed to the list.
Should we correct the text to avoid such [mis]understanding?
> Anyway, another reason for mistrusting the Farms Based Options.
Well, seems we need LYNXOPTIONS: page done without temp files but via
HTStreamStack(). Would this solve all the security issues in this area?
If yes - I could provide a patch (LYNXMESSAGES: was the recent example).
BTW, recently implemented tree-view at VisitedLinks page have an options
subpage _without_ any hidden security field and seems submitted OK.
Is it correct or am I misunderstand something (no code handy)?
> Old-style options do not have an 'anti-spoofing' problem.
yes.
> Klaus
