O grupo no qual você está postando é um grupo da Usenet. As mensagens postadas neste grupo farão com que o seu e-mail fique visível para qualquer pessoa na internet.
Colin Wilson wrote: > True - but if you were to ban HTML for newsgroups because of that, how > can you justify it in mail messages, or web pages come to that?
I think todays web requires both function and form, which HTML delivers (in part). That leaves it open to the type of attacks mentioned.
I'm not convinced that newsgroups require that same level of function and form. I guess we're coming down to a basic definition of what newsgroups are?
-- Derek Davidson http://www.ebsms.com Send SMS Text messages from your PC. For FREE!
Colin Wilson wrote: > At the moment, XanaNews disables scripting, java and downloading > ActiveX controls when it displays HTML messages. I should probably > make it disable running ActiveX controls too.
I think that would be a *huge* step in the right direction.
-- Derek Davidson http://www.ebsms.com Send SMS Text messages from your PC. For FREE!
Brion L. Webster wrote: > I think Jake's solution is to avoid using the IE HTML renderer > (which is unfortunately the default Delphi TWebBrowser control too).
I know he is. But the simple fact is that many if not most newsgroup readers use Outlook Express, so you must change the behavior of the majority of individuals for this to happen.
> Something which can display HTML but not integrate with the shell > as much should, in theory, be safe?
I think so, or at least safer. This means, essentially, that you have a render-only control, which doesn't do any of the other things a web browser does. Even Mozilla/Gecko has security issues, albeit fewer than IE.
To give an idea of the problem, it has long been possible to crash IE-based newsreaders by simply posting a script with a certain syntax error in a HTML message. IE tries to run the script and crashes, bringing the process which owns it down with it. Does a newsreader need JavaScript? I dunno; I don't much think it needs HTML....
Everything contained in this post that is not quoted from others, is merely an opinion. It may be a well-informed opinion motivated by an uncanny grasp of facts and amazingly well-formulated theories, but it remains opinion nevertheless. I speak for nobody but myself, and even then I may get it wrong from time to time.
Everything contained in this post that is not quoted from others, is merely an opinion. It may be a well-informed opinion motivated by an uncanny grasp of facts and amazingly well-formulated theories, but it remains opinion nevertheless. I speak for nobody but myself, and even then I may get it wrong from time to time.
Captain Jake wrote: > "Craig Stuntz [TeamB]" <cstu...@nospam.please [a.k.a. > vertexsoftware.com]> wrote in message > news:4137166f@newsgroups.borland.com... > > Does a newsreader > > need JavaScript? I dunno; I don't much think it needs HTML....
> It needs to be able to display HTML, since there are some newsgroups > where it is accepted practice to post using HTML.
Um, that isn't the point. I agree that a newsreader should be able to display HTML since the only thing worse, IMHO, than posting in HTML in the first place is trying to read such a message without rendering it. :) By "needs" I meant (although I guess this isn't clear in my message) that one should choose not to use it.
My real point is that if you don't allow JavaScript/ECMAScript, Flash, and the rest of the sparkly bits that they put on the web these days, you can only marginally claim to support HTML. ECMAScript, like it or not, is a recognized standard. And this makes displaying a message -- quite simple for plain text -- an extraordinarily complicated test open to all manner of exploits, as demonostrated by the ability to crash OE by posting a message with a syntax error in the script.
-Craig
-- Craig Stuntz [TeamB] . Vertex Systems Corp. . Columbus, OH Delphi/InterBase Weblog : http://blogs.teamb.com/craigstuntz IB 6 versions prior to 6.0.1.6 are pre-release and may corrupt your DBs! Open Edition users, get 6.0.1.6 from http://mers.com
> > You can turn off the display of HTML message previews in OE.
> You can turn this off in XanaNews, too. But if your solution to the > problems with HTML is to have people not use it, what is the point of > advocating it?
Don't know. I don't think the entire HTML standard ought to be implemented in newsgroups, just the formatting markup elements, like <b>, etc.
Everything contained in this post that is not quoted from others, is merely an opinion. It may be a well-informed opinion motivated by an uncanny grasp of facts and amazingly well-formulated theories, but it remains opinion nevertheless. I speak for nobody but myself, and even then I may get it wrong from time to time.
> My real point is that if you don't allow JavaScript/ECMAScript, Flash, > and the rest of the sparkly bits that they put on the web these days, > you can only marginally claim to support HTML. ECMAScript, like it or > not, is a recognized standard. And this makes displaying a message -- > quite simple for plain text -- an extraordinarily complicated test open > to all manner of exploits, as demonostrated by the ability to crash OE > by posting a message with a syntax error in the script.
I think what is really needed is for an RFC that allows for limited use of some HTML text formatting elements in internet messages, rather than the all-or-nothing choice between "supporting HTML" (with all the scripting and so on) and not supporting it. I've seen such a thing called "mini-HTML" by the TMS components I use. I think that would be a good compromise to use for a standard.
Everything contained in this post that is not quoted from others, is merely an opinion. It may be a well-informed opinion motivated by an uncanny grasp of facts and amazingly well-formulated theories, but it remains opinion nevertheless. I speak for nobody but myself, and even then I may get it wrong from time to time.
Everything contained in this post that is not quoted from others, is merely an opinion. It may be a well-informed opinion motivated by an uncanny grasp of facts and amazingly well-formulated theories, but it remains opinion nevertheless. I speak for nobody but myself, and even then I may get it wrong from time to time.
Everything contained in this post that is not quoted from others, is merely an opinion. It may be a well-informed opinion motivated by an uncanny grasp of facts and amazingly well-formulated theories, but it remains opinion nevertheless. I speak for nobody but myself, and even then I may get it wrong from time to time.
In and of itself, pBears HTML component set can't see internet connections ... it can only load content, non-programatically, from local files.
Anything else requires specific code in the containing application to either insert content into the component (say via a stream), or to pass an unhandled http: URL request on to a shell exec browser launch.
>[snip] >> I don't intend to use IE as the HTML renderer in my newsreader when I >> add the ability to read HTML messages. I think that using IE to >> render HTML is very irresponsible, TBH. My plan is to use something >> like the HTML from pBear.
>You still got to block the all html possibilty to open up a new page in >a browser upon rendering the html.. >The HTML message itself doesn't have to be infected, only has to open >up a remote page that is, hey presto you're infected with the new super >duper virus that makes use of the recently discovered vulnerabilities >of mozilla firefox..
><<<<<<<
=================== Schoeneck Howell Federal Bureau of Prisons Office of Research and Evaluation
Iman L Crawford wrote: > "Marco Caspers" <*nosp...@haxor.vaxor.com> wrote in news:41400126$1 > @newsgroups.borland.com: > > that makes use of the recently discovered vulnerabilities > > of mozilla firefox..
> > It's a blog about the Delphi compiler and products which could > > be contributed to by other people besides me, and hopefully will be > > after I'm gone.
> Hopefully you won't be gone anytime soon. While Borland could > probably handle it ( although they never could replace you) I don't > think the community could handle another person leaving Borland.
> Don't hint at things like that.
Sorry Jim, but I've got bad news for you: We all go eventually. Whether by choice or by pine box, everybody goes. I have no plans to leave my current position any time soon, but then none of us have final authority in our fates, right?
I recall having this conversation with Mark Miller several years ago. Mark was genuinely upset that I could even conceive of a future where I was not part of this team. He was more upset when I pointed out that human mortality guarantees an exit. He then worried that I was suicidal or terminally ill. (I'm not)
It's not morbid, it's just practical. Make every day count, because you've only got so many days to see the sights.
In terms of team management, you can either ignore that fact of life and set yourself up for disaster when the inevitable happens, or you can build your team to survive departures and periodic change.
To assume that anyone will be working in the same office at the same job 1000 years from now is absurd.
Over the past 20 years, the Borland development team responsible for Turbo Pascal and Delphi has changed many times. Some key people, such as AndersH or ChuckJ, or Gary Whizin or Zack Urlocker, were very visible (by their choice), whereas a lot more people equally critical to the development team (such as Peter Sollich, the architect of the 32 bit Delphi compiler and my indirect mentor, and Eberhard Waiblinger, my first manager at Borland and my mentor in software quality assurance theory and application) were quite invisible, also by their choice. The team has lost members by choice, by layoff, and by mortality.
Over the next 20 years, the Borland development team will continue to change, adding people and losing people. C'est la vie.
When you build your team right, change is not the end of the world.
|
