[Empeg-general] Re: HTML code in BBS post

peter@empegbbs-noreply.merlins.org peter at empegbbs-noreply.merlins.org
Wed, 20 Mar 2002 10:28:00 GMT


HTML is a *markup language*. Unless it's carrying embedded client-side JavaScript or something, I find it difficult to believe someone can do anything more malicious than linking to www.goatse.cx or using &lt;BLINK< tags.

HTML was a markup language. These days it's a shell language for running client-side ActiveX controls and JavaScripts, all of which can take control of the browser in various eerie ways.

Presumably the BBS software never allowed unfiltered HTML to be entered into posts though; software with such a bug should never have left the building. [**] HTML that's filtered so that only certain tags (the genuine markup ones) are let through, and certainly not &lt;script< or &lt;object<, should be safe. Although see http://utter.chaos.org.uk/~pdh/test/ for what amounts to a "denial of service" attack, using just &lt;table<, mounted against Netscape 4's table layout engine.

Peter
  
[**] Slight tone of sarcasm, as Outlook Express, among many others, clearly left the building with this bug in.