[Psi-devel] Jive's new stuff
David Smith
catfish.man at gmail.com
Thu Feb 8 08:38:18 PST 2007
> On Feb 6, 2007, at 5:44 PM, David Smith catfish.man-at-gmail.com |psi/
> personal| wrote:
>
>> Hi everyone,
>>
>> I'm the author of the draft spec linked to from the blog entry, and
>> the current maintainer of Adium's webkit message view code, so feel
>> free to fire any questions about it my way. I'm also looking for
>> feedback on the draft spec, because I'd really rather not discover
>> some horrible issue with it *after* investing time implementing it in
>> Spark and Adium :)
>> ...
>
> Hi David,
>
> Just out of curiosity, how hard do you (or can you) try to sanitize
> incoming text to make sure that the Javascript engine and/or HTML
> renderer can't be exploited to do "bad things"? Was that a
> consideration? Is the chat stream sufficiently isolated (or scrubbed)
> so that it's not an issue?
>
> I'd hate to see IM clients start to go down the same bloody path that
> email clients have already suffered (MS Outlook, anyone?). :)
>
> - Brian
Hi Brian,
In Adium we run everything through
CFXMLCreateStringByEscapingEntities, which should sanitize things
fairly effectively. This will be more of an issue for web based
clients, though. I'll have to investigate how SparkWeb is handling it.
David
More information about the psi-devel
mailing list