Expanded registrations for KOffice mime types
David Faure
david at mandrakesoft.com
Fri May 24 06:59:56 BST 2002
On Friday 24 May 2002 00:54, Marc Mutz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thursday 23 May 2002 23:42, Nicolas Goutte wrote:
> > I am sorry to be picky again!
>
> You're welcome... ;-)
>
> > "ZIP archives, XML files and supported image files"
> >
> > Do WMF (Windows Meta Files) count as images too? What is the security
> > status of those?
> >
> > As far as I know, KPresenter is prepared to have sound files. This
> > should perhaps be noted too, shouldn't it?
> <snip>
> > On Thursday 23 May 2002 21:36, Marc Mutz wrote:
> > (...)
> > > As of this writing, KWord documents do not contain any
> > > active content. As such, it is believed that usage of this mimetype
> > > does not introduce security concerns other than those already
> > > inherent in ZIP archives, XML files and supported image files.
> > (...)
>
> Hmm, of course. There opens a can of worms:
> What about e.g. SVG images with embedded JavaScript? How do you want to
> handle those? Allow it? Ignore the JavaScript? Strip it off before
> including it in the KApp document?
We ignore the Javascript. This is currently done simply because Qt's SVG support
doesn't support Javascript at all, and if we switch to ksvg one day, then we'll
disable the Javascript. The point here is to insert vector graphics, not full-fledged
applications/animations IMHO.
> More generally: Is there a KOffice policy regarding external content
> that may have embedded active content? (PostScript is known to be able
> to do nasty things like IIRC accessing the local file system when
> interpreted)
Nice.... who said we learned from Microsoft?
--
David FAURE, david at mandrakesoft.com, faure at kde.org
http://people.mandrakesoft.com/~david/
Contributing to: http://www.konqueror.org/, http://www.koffice.org/
KDE, Making The Future of Computing Available Today
More information about the kde-core-devel
mailing list