[NTLUG:Discuss] Executable Content Considered Harmful

[Richard Cobbe]

Lo, on Friday, 5 May, 2000, Christopher Browne did write:

> But there were similar problems before the days of Windows.

<SNIP>

> 2.  Emacs editors (GNU Emacs and XEmacs) both provide the ability to
>     attach "variables," executable by the editor, to documents.
> 
>     This is quite useful if you want to, say, use a customized
>     electric-C mode for editing programs.  When you load a source code
>     file into the editor, it provides instructions to the editor as to
>     what indentation policy to apply and such.
> 
>     This is fairly well-documented as providing a "hole."  If you bring
>     in files from just anywhere, you should _not_ set up Emacs to
>     automatically evaluate such variables, as there is the risk of
>     someone dropping in nefarious code.

I'm thinking I should probably lock this down, since I use emacs almost
exclusively, even as root....  How does one disable this feature?  And
does disabling this also break the -*- foo -*- bit to throw the buffer into
foo-mode?

> 3.  Web pages do exactly the same thing; ECMAScript code that "sucks"
>     your web browser in to front pages of porn web servers is another
>     example of this.  When you can't close browser windows without another
>     one popping open to head somewhere lurid, that's another example of
>     this situation.

Right.  I actually look upon this as one of the beneficial side effects of
the love letter virus and variants.  Javascript, IM(NS)HO, should be
obliterated from the face of the planet; ILOVEYOU was just helping it
along!

<big grin for the humor-impaired>

I should probably point out that I don't really know Java/ECMAScript, so I
can't comment on the language based on its own merits.  However, as Chris
points out, it is frequently used for things that are pointless, annoying,
harassing, or any combination of the above.

Richard