Ron Currier writes:
>> From: Sam Varshavchik [mailto:[EMAIL PROTECTED]]
>>
>> Actually, I'm aware of at least once instance where a bugged HTML
>> E-mail was
>> used to nail down a 'perp. Although in this case a bug was used
>> for legal
>> purposes, obviously that does not always have to be the case.
>
> This would make it a security risk to the individual, not the computer
An individual's security is just as important as the computer system's.
> (unless the computer was doing something illegal on its own). I was
It is not illegal not to want to be tagged and tracked liked an exotic
animal, by an overzealous salesman/marketer.
>> In the past several browsers were caught happily executing
>> text/javascript,
>> or whatever the actual MIME type is for .js, when it was loaded by an IMG
>> tag.
>
> Simply filtering IMG SRC attributes against the browser's supported image
> types or .GIF, .JPG, and .PNG should solve that.
I'll be more than happy to set up for you an example page with a .gif URL
pointing to a PNG image, with the browser correctly displaying the PNG image
from a .gif URL.
Taking it a step further, it's only an issue of finding a browser with the
image/javascript bug, in order to create a simple demonstration of a URL to
HottSexxyBabez.gif that ends up running malicious javascript code.
--
Sam
