Hey guys ... just a little follow up and clarification about this issue. It has been brought to my attention that perhaps this is not a "Cross site scripting" issue but simply "Javascript injection?" (for lack of a better term). My main concern with this issue is simply the fact that by going to a gopher site the javascript is executed. One might argue that any site you view has the potential for javascript to be embeded in the html... so the question becomes are there any scenarios where this could pose an added security threat? I believe .cache files are created from the contents of the gopher directory so if someone has access to add files to a gopher server they may be able to trigger this for the clients that navigate to the site. Comments? -KF
This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 20:17:06 PDT