Even if javascript is enabled as long as we do not allow unknown url schemes and load the base page using a file:// url, we should be safe. We also allow the Sigil user to disallow access to remote content and we block all POST methods. So I am feeling better about things.
Assuming we can figure out why BeckyEbook's won't work, I will clean this up to output only blocked messages to QDebug.
Until the time of our next release (however long that might be) we can work on hardening it even more if need be.
|