Shoutbox

The same riscs are also the when people are just excuting VBsript thereselves whitout Plus. So there won't be more riscs then you had before, only with scripting, less experienced people will be using it, that's why it is a good idea to disable scripting by default, so the user can optionaly enable it if he thinks he's experienced enough.

About being able to get somebody's password... yes probaly.. but be aware that a sctipt that runs on your own PC will only be able to steal YOUR OWN password, because the script itself won't exexute on the PC from the one you're chatting to.

It does becomes a risk when somebody logs in on a PC for a friend or whatsoever where plus! is installed and scripts are running.... that's one of the reasons why i suggested that settings should be save per MSN account, so that if people login on somebody's else PC the scripts won't be running while he/she is logged in.

Additionally Patchou could maybe deny some possible dangerous commands in the scripting engine.

Again, an excellent idea from Jae.... WSH will be downloaded only when Scripting is enabled in the Preferences. By default, it will be disabled.

As for the security, if I were you I wouldn't be afraid... as I said, scripting languages are quite limited and there is no way that using a script along, someone could get your password... to do that, they would have to program a COM object in VB or C++ and distribute it along with their script. Baiscally, if the script you downloaded has a joint DLL, OCX or EXE file, it's dangerous, else, I don't see anything the script could do along except for signing you out automatically just to annoy you . On my web site I'll list all the trusted scripts, verified by myself so that peoiple who can't read scripts can rely on an existing source of information.

For the traffic on my web site now, thank you for your concerns but for some monthes now, I'm already paying an extra for additional traffic, which brings my site to 10GB/month. I'm currently using about 6GB so it's ok.

Last but not least, I've seen that one of the most popular requested features is text-based games.. guess what.. you'll be the ones who will do them as this is an excellenent way to use scripting... text base games can be pretty complex and very interesting but from my programming point on view, I just have to notify the script when a text is received and allow the script to send it's own text.

The fact that the scripting feature will be disabled by default does not mean that no script will distributed along with MP2, keep that in mind, so my "scripting contest" is still opened. Scripting will be available along with the first Alpha version of MP2 so that you can start working on your scripts asap

Patchou.

There are two distinct modes for scripts, which is set from the program that calls the script (Plus! in this case), to either trusted or not, in one the script is given access to only the COM objects specifically added by Plus!, in the other it is free to create and use any COM object registered on the system.

The COM objects installed by WSH by default (and are required I think) include the FileSystem object, which gives near total control over the files on a computer, giving the script access to your chat logs, your documents, your windows settings, your web history. From there it can read them, delete them, or using the MAPI object it can mail them somewhere. This is only possible if Plus! says to run scripts as trusted.

In untrusted none of this is possible, only functions and objects supplied by Plus! can be used, but these will have to be checked for basic security i.e. check there isn't a function or set of functions which called with specific arguments can be used to do harm, a "NewLogFile" method is insecure if it will overwrite an old log file, so it takes a bit of thought, this can be done on the Alpha version, and would just require minor patches. The downside is that programs can't manipulate the file system, or install custom OCX/DLL's with their script for more power, and are limited by the objects supplied by Plus!

I'm not sure which level you would want to use for scripts, but it will take some careful thought.

As for installing WSH, it is common on almost all computers now, so shouldn't be a real hassle. If scripting is disabled by default then when checking the "enable scripting" button, if WSH is not installed, Plus! could either prompt the user, or throw up a progress bar of downloading and installing WSH.

I forgot to mention it, thanks ginge... I plan to run the scripts as untrusted to ensure that I'll never receive any complaint from anyone about security. For the installation of WSH, yes it's on most Windows but very often it's not up to date and the worst scenario when you want to run a script is when it does not run tough it works perfectly on your friend's computer and this is due to version mismatch of the script engine.

As for the objects I'll give to the script, there will be some, like the public Messenger objects but non which could do something bad... I mean, yes, maybe some objects will a script overwrite a log file (ONLY a log file, it won't have direct access to anyfile, I'll give it myself indirectly) but that's ok as long as the same log file can't be possibly sent my email to someone else right?

I'm sure that even with untrusted security you'll be able to do great things... text-based games is a good example.

I'm sure people will come up with great things in trusted mode, its just people will always want that little bit more (storing high scores for that text based game, storing them on a central server etc.), its just a case of being careful what you open up.

The log files was just on example, IE is always updating its security engine to fix a bug for when people use several features in conjunction, or pass weird parameters, I don't want yet another program I have to update every month with a new security patch. Its just a case of being very careful. Often obscure functions with malicious parameters have unexpected effects.

A little addition to the verion incompatibillity:

Automatically add something to every script which says which version of WSH was uses while making the script. Makes it more easy for people to exhange scripts.

Also fill-in forms you Creator/email/site/extra notes will be nice.

Any data associated with the scripts will be in the comments of the script itself... I could add special things  but for simplicity reasons, MP2 will consider any script installed in its directory as being usable, that's all. The only information it will display about them in their name. It may change as I'Ve seen that apparently XML tags can be added to VBScript/JScript... we'll see.

About security and the patch related to it, don't worry, as strange as it can seems, MP2 is not a network related software so I don't need to be careful about what resource users will access. I just have to double check my string size and nobody will be able to do anything I don't allow. For things like storing high scores, a PropertyBag object will be available and will store whatever value the user want in a regkey decided my MP2 itself... no, really, I think you shouldn't care too much about security... you'll be able to test it in the Alpha version and that will be sufficient... talking about it too much will afraid people won't don't know nothing about it.

For all of them, I repeat: scripting will be disabled by default in MP2 so if you don't want it, just forget about it

Patchou.

Thanks Patchou and ginge for the explanations. Great. We look forward for your success. Thanks again

Also, thank you for the explanations Ginge, Patchou, Jae...

Nice to see that U are finally working on version 2 Patchou