Roan Kattouw wrote:
"An alternative [to rejecting all ZIP files] would be to parse the entire zip directory and to reject any archives that contain a file with a .class extension. I can’t vouch for this method. **If you did this, the zip library you used would have to be exactly as tolerant of zip format errors as the one used by Java.** It would probably be best to actually shell out to Java to do the test."
(emphasis mine)
If we consider acceptable the perfomance of parsing full zip files (as opposed to just 512 bytes or the central directory), we can quite easily accept many zip files.
There's also the issue of jar protocol, but that seems fixed from Firefox 2.0.0.10 so probably not worth taking into account. http://kb.mozillazine.org/Network.jar.open-unsafe-types