>Would it be sufficient in your case merely to allow only .html files to >be loaded? Or URLs without .extensions? Or even just permit only the >http: protocol?
Personally, I'm just noodling around with this right now. So "my case" is the abstract case. I think the solution if one was needed would be to look at how something like Firefox implements script detection and warns about it, so all forms of scripts would be rejected. I did try loading the .py file over a remote connection, and it does seem to work as expected that way; i.e., I get a browser window with the text of the script. So the webbrowser.py module's handling of http:// accesses is definitely different from its handling of file:// accesses. --Blair -- http://mail.python.org/mailman/listinfo/python-list
