Rich text holds similiar risks as html. They are apples and oranges, though. "script" bombs target both vulnerabilities. I know for a fact that there are Notes advisories out there that take advantage of LotusScript that runs in rich text fields. jfweber@bellsouth.net 01/24/2006 01:32 PM Please respond to jfweber@bellsouth.net To suse-security@suse.com cc Subject Re: [suse-security] Does Rich Text hold the same risks as html ? And hence should be banned or tightly controlled locations where it can be read? OR is it a completely other kind of animal, as "safe".. at least as safe as anything coming thru the system sent by people you may, or not, know. I only remember Marc Andreeson ( sp?) Talking a lot about it during the time Netscape was the scarey company in the wood work for MS. I never got into the nuts and bolts of it... so I don't know anything about it except it looks pretty.. but so can HTML properly done. And improperly done HTML can bring a system down.. if the attacker knows enough to circumvent rules that prevent it from being displayed... I would greatly appreciate anyone who feels they have the time to explain this to me. Pros and cons are both welcome. TIA, y'all -- j "You never know until you try It's hard to see which side your on Some people say your half way here Some people say your half way gone" song lyric -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here