Andrew Ballard wrote:
On 10/4/07, Chris <[EMAIL PROTECTED]> wrote:
Don O'Neil wrote:
I'm not sure how opening an email inbox can hijack pages but maybe
someone more creative than I can show me..
I don't know about the IMAP/POP3 itself, but if you are displaying the
messages in a web browser for something like building your own
web-mail client, the messages themselves would make YOUR pages just as
vulnerable to all kinds of cross-site scripting (XSS) attacks and the
like as they would be by accepting input from a web form. (I think
someone recently posted this link in another thread:
http://phpsec.org/projects/guide/ )
So yes, if you don't use diligence to filter that stuff out before you
send it to the browser, someone could study your mail interface well
enough to do anything they want by impersonating the user viewing the
messages -- just for starters.
Good point - I should have been more explicit.
I was thinking more about processing messages and doing something with
the content rather than displaying them in any way.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
