On 10/4/07, Chris <dmagick@xxxxxxxxx> wrote: > Don O'Neil wrote: > I'm not sure how opening an email inbox can hijack pages but maybe > someone more creative than I can show me.. I don't know about the IMAP/POP3 itself, but if you are displaying the messages in a web browser for something like building your own web-mail client, the messages themselves would make YOUR pages just as vulnerable to all kinds of cross-site scripting (XSS) attacks and the like as they would be by accepting input from a web form. (I think someone recently posted this link in another thread: http://phpsec.org/projects/guide/ ) So yes, if you don't use diligence to filter that stuff out before you send it to the browser, someone could study your mail interface well enough to do anything they want by impersonating the user viewing the messages -- just for starters. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
