In article ,
Jeff Layman wrote:

? What's the difference if you are connected to the internet via a
mailserver, newsserver, or via a browser? If you allow http of any
sort to get through, you are wide open to malicious scripts. ...

That's not true. But describing why it's false is beyond the scope
of this group.

Other than I mistakenly wrote "http" instead of "HTML", of course it's true.

Actually, "http" is more correct than "HTML", but that's a minor point.

I suggest that you don't bother quoting Google at me on IT matters;
even in areas where I am only a second-rank expert (such as this one),
it's only going to make you look foolish.

The HTTP protocol does not require a browser to execute even a script.
Even those of its extensions that do can be run in a secure sandbox
(look up Java on this). And you can even run the whole browser in a
secure sandbox, as I have done on several systems.

But, as I said, the details of how to do that are outside the scope
of this group.


Regards,
Nick Maclaren.