[Techtalk] why is Active X in web pages evil,
but not Perl/PHP/Javascript?
Elwing
elwing at elwing.org
Thu Jan 20 04:11:58 EST 2005
I would actually lump javascript in with activeX rather than perl/PHP,
but you can really argue either way.
ActiveX and javascript are both run on the client, whereas perl and PHP
are run exclusively on the server.
In the case of ActiveX, you create code that is downloaded to the
client, then the client executes it with the permissions of the user
running IE. ActiveX has all kinds of hooks into the operating system
(all the same ones IE has which makes it almost impossible to remove
from a Windows system), including the ability to write registry entries,
read address books, etc. Theoretically, IE sandboxes ActiveX code, but
many users turn this option off because it's annoying, it's also the
default to run activeX code on almost all older versions of Windows.
Perl and PHP never leave the server, all that the client sees is the
"text" output of the PHP/Perl, which makes it about as tame as a regular
old HTML file.
Javascript is somewhere in between, it's client code, but it's very
limited in what it can do.
Laura
Carla Schroder wrote:
> hola techtalkers,
>
> As the subject line says, why is Active X in web pages evil, but not
> Perl/PHP/Javascript? I have some vague notions about operating system
> architecture and being too friendly to remote code execution, but I would
> appreciate some precise notions from people who know.
>
> thanks!
>
More information about the Techtalk
mailing list