Path: csiph.com!fu-berlin.de!uni-berlin.de!not-for-mail From: Chris Angelico Newsgroups: comp.lang.python Subject: Re: Speaking of Javascript [was Re: Everything good about Python except GUI IDE?] Date: Thu, 3 Mar 2016 07:55:32 +1100 Lines: 35 Message-ID: References: <64a6599c-fae1-469d-bcee-875165b3cc7d@googlegroups.com> <56d294f8$0$1604$c3e8da3$5496439d@news.astraweb.com> <234a398e-1b0f-467b-a8cb-d7ca748f8062@googlegroups.com> <84922f24-3e00-4a23-b26d-5e6c0d8e7e04@googlegroups.com> <87y4a5c58i.fsf@elektro.pacujo.net> <87twksdg9c.fsf@elektro.pacujo.net> <87d1rgca58.fsf@elektro.pacujo.net> <87h9grorcb.fsf@elektro.pacujo.net> <56d5c6fa$0$1595$c3e8da3$5496439d@news.astraweb.com> <56d64e83$0$1588$c3e8da3$5496439d@news.astraweb.com> <56d71d5f$0$1619$c3e8da3$5496439d@news.astraweb.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Trace: news.uni-berlin.de aeRnAACx9FDhu7NoYY6YCA15G20+4ByOspn3rCH2VS5A== Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.032 X-Spam-Evidence: '*H*': 0.94; '*S*': 0.00; 'subject:Python': 0.05; 'cc:addr:python-list': 0.09; 'app,': 0.09; 'security.': 0.09; "they've": 0.09; 'talks': 0.11; '"this': 0.13; 'subject: \n ': 0.15; 'thu,': 0.15; '2016': 0.16; 'exploits': 0.16; 'frankly': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'received:io': 0.16; 'received:psf.io': 0.16; 'subject:GUI': 0.16; 'subject:Javascript': 0.16; 'wrote:': 0.16; 'found,': 0.18; 'cc:2**0': 0.20; 'cc:addr:python.org': 0.20; 'machine': 0.21; 'controlled': 0.22; 'am,': 0.23; 'header:In-Reply-To:1': 0.24; 'all.': 0.24; 'install': 0.25; 'chris': 0.26; 'error': 0.27; 'message-id:@mail.gmail.com': 0.27; '"no': 0.29; 'agreed.': 0.29; 'declared': 0.29; 'subject: [': 0.29; 'random': 0.29; "i'm": 0.30; 'anyone': 0.32; "can't": 0.32; 'getting': 0.33; 'point': 0.33; 'true.': 0.33; 'gets': 0.35; 'received:google.com': 0.35; 'could': 0.35; 'filter': 0.35; 'something': 0.35; "isn't": 0.35; 'but': 0.36; 'there': 0.36; 'received:209.85': 0.36; 'limitation': 0.36; 'subject:: ': 0.37; 'say': 0.37; 'received:209.85.213': 0.37; 'thought': 0.37; 'received:209': 0.38; 'button': 0.38; 'anything': 0.38; 'why': 0.39; 'data': 0.39; 'rather': 0.39; 'save': 0.60; 'listings': 0.63; 'more': 0.63; 'great': 0.63; 'mar': 0.65; "they're": 0.66; 'visiting': 0.73; 'sounds': 0.76; 'click': 0.76; '"oh,': 0.84; '"yes,': 0.84; 'chrisa': 0.84; 'ebay': 0.84; 'listings,': 0.84; 'malicious': 0.84; 'subject:good': 0.84; 'vulnerable': 0.84; 'to:none': 0.91; 'imagine': 0.96 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc; bh=A9vnizZauOcVGrfxGghBqgxhNuLst1pz9c9Jikyv/O0=; b=lbruArnCrOmmWPyQcE8JDHYkeSc3IwfHblXXH6XiNB+vHFqYKvq2aoHrCbXX93uGZT n3h/ze4gmGE1h0Swsug9x+GR24Hwh4UKCkGsyGq4zglISLbb5Y0fRFkkDlbIC/jZH0hk tzjJR4cPzijgKEsvjbx3yx0tUn3O94GA5NSsbSQkIKwq2tz77NI3vNn1cDVGywXGP1BO VZZuyJXXz49fkh0WHNc63z98cFKRKLiuahrC0xOCqdZxUtmydxHGKP/VYW+pON+oRK5Q 0wskOy4Gjs2R+5z1356JJpQwRhkP2mErXdGEvlccTndmmzixdaFCKCPxwRllTW3BHSuS eToQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:cc; bh=A9vnizZauOcVGrfxGghBqgxhNuLst1pz9c9Jikyv/O0=; b=Y4lA1gu8lK+pl1ib9lNoSatuZMxVqV8yVJoffC01hzRCqRRDjuQ9wQrLX0F5rZFYqH +XNmAjkMd8jQkL3DPY67MYOJLwB8wBw7+4qhHQaWV9EAXQYE+1/YmD4eZWv50GqFe80h OGGdBZVovahSemBxYvtLRaf72cXVx1m8W2nKGdawsnVLV5L0blgj2PZ+QM+nsDaMIvdk POQc2xrRkRbXRLALClFB1z5alDNDVQzqNNVOoXm2sZll15zhbqfmyBGf48cZ1GTijHXy mRLHU6LYa/cz44oGFItmQp9Q8E7dsE7+lbNxVE5l4AjsTxC7cFanMmjUnzVmjV2HRKSa lR9A== X-Gm-Message-State: AD7BkJKCwuSlqTLnPNLi/1OsaTZjQ9+OowOO082lybiIdkXo+gUM0dQWItPJl9iSBYL6WlkOUObO8vunK9aR0w== X-Received: by 10.50.180.35 with SMTP id dl3mr2147824igc.94.1456952132410; Wed, 02 Mar 2016 12:55:32 -0800 (PST) In-Reply-To: X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Xref: csiph.com comp.lang.python:103896 On Thu, Mar 3, 2016 at 5:29 AM, Jon Ribbens wrote: > On 2016-03-02, Chris Angelico wrote: >> To be fair, this isn't a JS exploit; it's a trusting-of-trust issue - >> eBay has declared that you can trust them to sanitize their sellers' >> listings, and so you trust eBay, but this exploit gets past the >> filter. > > This is true. It sounds like their filter is frankly bizarre, > I can't imagine why it works the way that has been described. Agreed. I also don't understand why they can't simply say "no