Ron Currier writes:
> Yes, obviously I know about webbugs, and yes, we put them on our e-mails
> (though we don't actually use the data for anything at this point and our
> privacy policy prohibits us from passing the individual data onto our
> clients). But I hardly consider them a "security risk". Invasion of privacy,
Actually, I'm aware of at least once instance where a bugged HTML E-mail was
used to nail down a 'perp. Although in this case a bug was used for legal
purposes, obviously that does not always have to be the case.
> maybe but that is a discussion for another time. As for rogue JavaScript,
> I don't see a problem since the browser doesn't do any HTML parsing on the
> image file, putting JavaScript into a fake .GIF won't do anything but create
> a broken image.
In the past several browsers were caught happily executing text/javascript,
or whatever the actual MIME type is for .js, when it was loaded by an IMG
tag.
--
Sam
