On Wed, Sep 15, 1999 at 10:20:26AM +0300, Georgi Guninski wrote: > Olaf Titz wrote: > > > > In article <37DCF0FE.908E4B4Fat_private> you write: > > > Note: This is not a browser problem, it is Hotmail's problem. > > > > It is a browser problem, at least for the Netscape version. > > I continue to think this is NOT a browser problem. In both Netscape and > Internet Explorer the behaviour of executing JavaScript via STYLE tag is > fully documented, check the documentation. The fact that Hotmail does > not filter this kind of JavaScript is a Hotmail's problem. The problem seems to be due to a breach of standard secure programming practices by Hotmail: If you are programming for security, you start by denying everything, and then allow through the things you know to be secure. This is the only way to do secure filters. If you rely on removing the bad stuff, a bug will (usually) result in dangerous items passing through, and will most likely not be discovered. If you rely on passing the good stuff (and denying everything else), a bug will (usually) result in things that are supposed to be passed being rejected; in this case, 22 million (or whatever they're up to now) screaming users would probably have told Microsoft about a too restrictive filter soon enough. Eivind.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:03:57 PDT