W3C home > Mailing lists > Public > www-forms@w3.org > August 2004

Re: XForms - Secure or Insecure?

From: Gary Stewart <gary@deltagreen.co.uk>
Date: Fri, 20 Aug 2004 11:08:50 +0100 (BST)
To: www-forms@w3.org
Message-ID: <Pine.LNX.4.21.0408201102130.12863-100000@riff.albionsoft.com>

On Fri, 20 Aug 2004 cperec@infopac.ru wrote:

> There are two potential sources of security concern:
> 1. That a malicious XForms-containing document can upload files from a user's 
> computer without their knowledge
> 2. A malicious XForms-containing document could download a virus or other 
> nasty to the user's computer.

I'm not sure under what basis you assume that this happens. It is correct
that XForms supports both uploading and downloading of files however the
only way that the user would be unaware of this is if the client allowed
this to be automated (and I assure you that people writing clients won't
do this, well not if they want the client to be used anyway). 

You can ask for a file to be uploaded, if so, this will invoke a File
Chooser which can be filtered (say if you are expecting an audio file) in
much the same way that you can upload files using an online mail system. 

You can also write the current XML document to the local disk, but again
the user will probably be asked (not always in this case, but then the
document is an XML document and therefore should not execute). For example
XSmiles will warn if you are trying to save a new file and if you are
trying to replace an existing file. Others might allow new files to be
generated automatically, or for a file chooser (save as... type thing) to
be invoked upon a write to disk being requested.

Hope this helps alleviate your concerns.

Gary
Received on Friday, 20 August 2004 10:09:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 10 March 2012 06:21:58 GMT