> From: Sam Varshavchik [mailto:[EMAIL PROTECTED]]
>
> > Yes, obviously I know about webbugs, and yes, we put them on our e-mails
> > (though we don't actually use the data for anything at this
> point and our
> > privacy policy prohibits us from passing the individual data onto our
> > clients). But I hardly consider them a "security risk".
> Invasion of privacy,
>
> Actually, I'm aware of at least once instance where a bugged HTML
> E-mail was
> used to nail down a 'perp. Although in this case a bug was used
> for legal
> purposes, obviously that does not always have to be the case.
This would make it a security risk to the individual, not the computer
(unless the computer was doing something illegal on its own). I was
interpreting "security risk" to mean a way for a hacker to gain access
to the user's computer.
> > maybe but that is a discussion for another time. As for rogue
> JavaScript,
> > I don't see a problem since the browser doesn't do any HTML
> parsing on the
> > image file, putting JavaScript into a fake .GIF won't do
> anything but create
> > a broken image.
>
> In the past several browsers were caught happily executing
> text/javascript,
> or whatever the actual MIME type is for .js, when it was loaded by an IMG
> tag.
Simply filtering IMG SRC attributes against the browser's supported image
types or .GIF, .JPG, and .PNG should solve that.
Obviously we disagree on this issue. The nice thing about Open Source
software is it doesn't prevent either of us from doing our jobs.
- Ron
