[Sage] Sage 1.3.7 feed rendering regression
Peter Andrews
petea at jhu.edu
Fri Oct 6 09:30:53 PDT 2006
On Oct 6, 2006, at 12:02 AM, Alexander Gräf wrote:
> if object/embed-tags are a security risk, why bother filtering them
> out
> instead of filing a security report to FireFox? Or is there any
> difference
> in the security handling between the Sage rendering and the webpage
> itself,
> which I surely would launch if the YouTube/Google-Video would be
> missing and
> I wanted to watch it. At least the filtering should be an option,
> so users
> could decide if they need this special security measure.
Yes, there is a difference. Content rendered by Sage exists in a
local security context and therefore has access to the filesystem.
This is a security risk unless we filter out elements that could
potentially abuse these privileges. Most feeds should be unaffected,
those that contain embedded flash/quicktime objects being the most
notable exception. However, as you've suggested, in the future we
will likely offer the option to disable content sanitization for
those who feel they can trust their content sources.
peter
More information about the Sage
mailing list