On 11/5/2013 2:42 PM, Brian K. White wrote:
On 10/28/2013 11:03 PM, Linda Walsh wrote:
On 10/28/2013 5:16 PM, Thomas Taylor wrote: Yes, HTML is superior at transporting viruses and malware
onto your computer or causing other inappropriate actions to occur.
That's just crap.
HTML transports viruses as much as txt does.
Ok so like I said about Linda being right and reasonable most of the time... gotta have a few exceptions to prove the rule I guess?
How anyone who knows what html is can deny that *rendering* html doesn't introduce new and vastly more powerful channels to cause your client to silently do stuff than plain text is beyond me.
You message had "*rendering*" in bold text -- did you write in HTML? No -- I assert that HTML is markup on text -- it isn't scripting -- but it does the same thing that some reader do automatically. Note, that fact that your reader is displaying binary data as "text" is already an interpretive layer. You can claim, that interpreting a binary stream as text is vastly different than interpreting it as emphasized, italicized, or paragraph-formatted or proportional text, but it's a matter of degree. If you aren't seeing, *only* electrical "on/off" states, you are seeing some level of interpretation -- even "slashdot" allows HTML (or a subset thereof) for markup. I don't recall any instance where a site has been hacked due to a bug in an HTML renderer. If you have an example to the contrary, I'd find it very interesting, but if not, I'd say it's the same probability as worrying about virus's embedded in the headers of your email (which email readers don't show you, but are definitely used by various interpreters) or in the parity bits of your text (which most email readers ignore unless they are trying to interpret it for some purpose (like alternate charsets -- a type of markup!)... I have seen bugs in jpg display, and audio display, but those are very rare and I really wouldn't regard them as serious threat vectors these days. Technically HTML is marginally more complex to interpret than text, but I would still ask for a proof of concept -- I don't recall it ever being seriously considered a threat vector. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org