Re: Comments on the "new" 2518 -- XSS

Jason Crawford wrote:
> 
> On Tuesday, 03/21/2006 at 03:32 CET, Julian Reschke 
> <nnjulian.reschke___at___gmx.de@smallcue.com> wrote:
>  > Hi,
>  >
>  > I think that Kevin is correct that this is a new type of attack not
>  > discussed before, although I think it's misleading to call it an XSS 
> attack.
>  >
>  > I have opened a BugZilla issue for it
>  > (<http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=237>). Once we
>  > have consensus that this is a real problem, we need to discuss what to
>  > say in the Security Considerations section.
> 
>  From viruses, to spam, to copyrighted art,
> to offensive material, this is a pervasive issue that
> people should already be aware of.
> I don't think WebDAV adds much new here and I don't think it's
> necesary for the webdav spec to take responsibility for warning
> people about letting people or zombies put inappropriate content
> in public places.  

Jason,

the big difference here is that the vulnerability is with HTML content 
even in the absence of any browser bug. I really think this is different 
from the other stuff.

Best regards, Julian

Received on Wednesday, 22 March 2006 08:47:02 UTC