Re: Spyglass HTML Validator 1.0 Availability

F. E. Potts (fepotts@fepco.com)
Fri, 18 Oct 1996 11:37:38 -0600


Date: Fri, 18 Oct 1996 11:37:38 -0600
From: fepotts@fepco.com (F. E. Potts)
Message-Id: <96Oct18.113936mdt.18433@gw2.fepco.com>
To: davidp@earthlink.net
Subject: Re: Spyglass HTML Validator 1.0 Availability
Cc: www-html@w3.org

On Fri, 18 Oct 1996 08:56:10 -0600, David Perrell wrote:
> Have there been security problems with JavaScript? I thought
> JavaScript was pretty innocuous, seeing as how it's just
> human-readable statements interpreted by the UA that only affect the
> display. Are you not thinking of Java programs?

Yes, there have been problems with JavaScript:
	
	http://www-genome.wi.mit.edu/WWW/faqs/wwwsf7.html#Q61

	http://www.osf.org/~loverso/javascript/

While some of the problems associated with JavaScript have been fixed,
others have not, and new ones are waiting to be found.  To me,
JavaScript is about as buggy as Sendmail, and needs to be treated with
equal care.

As a result of all this, it has become a matter of course among many
who are responsible for a network's security to forbid the use of
JavaScript (along with Java and ActiveX) when it comes from the public
side of the firewall.

It is also one of the reasons why I find using JavaScript in place of
regular style-sheets a disturbing trend.

HTTP is becoming one of the new avenues of choice for getting through a
firewall, and it is a dream for social engineers.

-fep

--
fepotts@fepco.com
http://www.fepco.com/