Mailinglist Archive: opensuse-factory (1029 mails)

< Previous Next >
[opensuse-factory] Re: Testing many small file write on several filesystems
On 11/5/2013 2:42 PM, Brian K. White wrote:
On 10/28/2013 11:03 PM, Linda Walsh wrote:
On 10/28/2013 5:16 PM, Thomas Taylor wrote:
Yes, HTML is superior at transporting viruses and malware
onto your computer or causing other inappropriate actions to occur.
---
That's just crap.

HTML transports viruses as much as txt does.

Ok so like I said about Linda being right and reasonable most of the time... gotta have a few exceptions to prove the rule I guess?

How anyone who knows what html is can deny that *rendering* html doesn't introduce new and vastly more powerful channels to cause your client to silently do stuff than plain text is beyond me.
----
You message had "*rendering*" in bold text -- did you write in HTML?

No -- I assert that HTML is markup on text -- it isn't scripting -- but
it does the same thing that some reader do automatically.


Note, that fact that your reader is displaying binary data as "text" is
already an interpretive layer. You can claim, that interpreting a binary
stream as text is vastly different than interpreting it as emphasized,
italicized, or paragraph-formatted or proportional text, but it's
a matter of degree. If you aren't seeing, *only* electrical "on/off" states,
you are seeing some level of interpretation -- even "slashdot" allows
HTML (or a subset thereof) for markup.

I don't recall any instance where a site has been hacked due to a bug in
an HTML renderer. If you have an example to the contrary, I'd find it
very interesting, but if not, I'd say it's the same probability as worrying
about virus's embedded in the headers of your email (which email readers don't
show you, but are definitely used by various interpreters) or in the
parity bits of your text (which most email readers ignore unless they are
trying to interpret it for some purpose (like alternate charsets -- a type
of markup!)...

I have seen bugs in jpg display, and audio display, but those are very rare
and I really wouldn't regard them as serious threat vectors these days.

Technically HTML is marginally more complex to interpret than text, but I would
still ask for a proof of concept -- I don't recall it ever being seriously considered
a threat vector.


--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
References