[Foundation-l] Re: Malicious user javascript
Tim Starling
t.starling at physics.unimelb.edu.au
Tue May 24 05:11:24 UTC 2005
kelvSYC wrote:
>> Even if we tried to place restrictions on user JavaScript or disable it
>> entirely, there is no way to protect against that distinct from general
>> restrictions on submissions from some user. The malicious user could
>> trivially substitute JavaScript that comes from their local machine or
>> another source, a modifying proxy to insert it, or use a different
>> client-side tool to perform equivalent processing.
>>
>
> It's too bad we can't prevent massive damage that may result from
> this. Oh well...
Any sysop can modify another user's javascript. So you could use that
fact to determine his IP address even if he was behind a proxy, or
encourage him to install malicious ActiveX, or crash his browser. Let's
just say it wasn't a good choice of platform on his part.
-- Tim Starling
More information about the foundation-l
mailing list