Hi!
Jonathan Batista de Araujo Neto wrote:
Hello,
I noticed that the contacts get exposed on the compose page, that is, everyone reading the source could take the whole list in a text file, so he could send spam.
It does not really make any difference if the code is there as raw HTML or as JavaScript array - it is still data that is transferred from the server to the client so it can be read and used in other ways than you would expect.
It’s not a problem for personal contacts, but if you’re in a huge company using LDAP, this could not be a good idea.
One of our programmers get around this, but using ajax and getting the contacts straight to a certain javascript var, instead of defining that on the page code. Since Roundcube has new realeases we had to do the workaround every time.
Still the data is transferred over the wire... no difference.
Maybe you can integrate this “feature” on the mainstream, if of your interest. I can send the hacked code for the version 0.1.
Thanks a lot
Jonathan Araújo
Administrador de Infra-estrutura de TI
Gerência de TI - INDG S.A.
List info: http://lists.roundcube.net/dev/