Re: NSSecureCoding & NSAttributedString
Re: NSSecureCoding & NSAttributedString
- Subject: Re: NSSecureCoding & NSAttributedString
- From: Quincey Morris <email@hidden>
- Date: Sun, 18 Feb 2018 14:26:47 -0800
On Feb 18, 2018, at 14:01 , Markus Spoettl <email@hidden> wrote:
>
> Arrays are easy to enforce but dictionaries are really a weak spot. For
> starters you can't define which classes are acceptable as keys and which as
> values. What if you have collection classes as values, what layout is
> acceptable in sub-entries? None of that is expressible.
Arrays aren't safe from structural attacks, I think. There’s no way of
expressing an array of *only* some element class — an actual element that is an
array of the stated element class will pass the global check.
> As for additional NSAttributeString "companion" classes, I'm still open for
> suggestions.
I dunno. I always though of the attributes as something extensible, but I guess
they’re not really. (They can’t be, in NSAttributedString is an interchange
format between apps.) Looking at the documented list, I would be worried about
NSTextAttachment, which isn’t even documented as conforming to NSSecureCoding.
Those NSAccessibility… keys don’t look too safe either.
At this point, though, I don’t trust myself to reason about what’s safe and
what’s not.
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden