[
Lists Home |
Date Index |
Thread Index
]
Hi.
> Bill Kearney wrote:
> > Robert Koberg wrote:
> >
> >> The problem is not with 'inherent insecurities of script languages
> >> inside content', it is with whoever maintains the server
> system. In
> >> other words, I think you are looking at the wrong culprit.
> >
> > Indeed. But new technologies, or new uses of existing tech, often
> > present unforseeable risks. (ask me about
> > beaming newton notes sometime!)
Yes! What about beaming newton notes?
> >
> > Not because it's not a cool idea but because the extant
> tools don't do a
> > very good job of warding off the inevitable foolishness
> it'd bring.
> Are we talking about client or server side scripting? I was thinking
> about server-side...
Applications have big problems getting security right with executable
but untrusted content. It sounds like you've been clever with your
velocity setup and I think the due diligence you've done is admirable
but having used velocity and run into some surprisingly fundamental bugs
and shortcomings (basic escaping failures for example), I'd like to
request that you please not keep my credit card number on that server :)
I'm just now starting to use outlook for shared calendar with a full
exchange server implementation and I understand now why Microsoft took
the (seemingly idiotic) approach of treating email as executables. I
still think it's absolutely crazy from a security standpoint. And need
I point out how much trouble it's caused?
---->N
>
> best,
> -Rob
>
> -----------------------------------------------------------------
> The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
> initiative of OASIS <http://www.oasis-open.org>
>
> The list archives are at http://lists.xml.org/archives/xml-dev/
>
> To subscribe or unsubscribe from this list use the subscription
> manager: <http://www.oasis-open.org/mlmanage/index.php>
>
|