kelvSYC wrote:
Even if we
tried to place restrictions on user JavaScript or disable it
entirely, there is no way to protect against that distinct from general
restrictions on submissions from some user. The malicious user could
trivially substitute JavaScript that comes from their local machine or
another source, a modifying proxy to insert it, or use a different
client-side tool to perform equivalent processing.
It's too bad we can't prevent massive damage that may result from
this. Oh well...
Any sysop can modify another user's javascript. So you could use that
fact to determine his IP address even if he was behind a proxy, or
encourage him to install malicious ActiveX, or crash his browser. Let's
just say it wasn't a good choice of platform on his part.
-- Tim Starling