Re: Re:Local "action" in Forms?

Frank Majewski (fmajewsk@awi-bremerhaven.de)
Tue, 2 Aug 94 17:27:43 +0200


Guy Singh, guy@x.co.uk answered:
> We've done this for a customized solution, but there are problems
> for implementing this generically.

I think there are a lot of people who want to know *more* about it, ie
HOW did you done it, or is it a secret ;-)?

> Security is the main issue. i.e. there is nothing stopping people
> writing html docs with dangerous commands as their ACTION field.

Yes, agreed, there are a lot of known security holes, BUT NONE if your
are working on *YOUR* local laptop without ANY network-connection, just
wanting LOCAL FORMS (on a CD or whatever...) to be handled by starting
the LOCAL perl-script to handle the *LOCAL* "request"!

> One of our new products has a well known browser(dare I say it... Mosaic)
> built into it as help engine/WWW navigator. We needed this local
> form processing capability. So we have restricted this to only
> allow calls to 'safe' binaries shipped with the products.

HOW?

> However I don't see this as a good solution, it was the best fit
agreed! :-))
> for the timescales we were working to. To tackle the generic solution
> we first of all need to define what the aims of local processing
> are. I think we should be using local processing in a way that
> does not involve filesystem access if we want security. The processing

This makes no sense to me (see above) but I agree under normalviewpoints...:-(

> could be done via a scripting language within the HTML document.
>
> e.g. If the user selects two list items, a third item is set automatically.
>
> The scripting language could allow return of an HTML doc created
> on the fly, or via a URL ref. So you could reference things on your
> CD based system.

> This is an interesting area of discussion, I know the HTML 2/3/x authors
> must be addressing it.

YES, I want to have more opinions, statements ....