top | item 41256431

(no title)

I find it amusing that the motivation for creating a complex font program that supports syntax highlighting internally is the desire to avoid a complex syntax highlighter JavaScript library. The complexity is still there; it's just been moved around.

Edit: Perhaps this is a reminder that custom fonts are a potential attack vector for security-sensitive websites since font rendering runs highly-complex programs, probably in a language that isn't memory safe.

discuss

iFreilicht|1 year ago

This makes me curious; have there ever been security exploits that utilized the font rendering as an actual attack vector? To me it feels like font rendering should be pure (in the functional sense) and thus have no side-effects, but of course that doesn't mean anything in practice.

bean-weevil|1 year ago

Yes, pretty disastrously: https://kb.cert.org/vuls/id/354840/

As you have guessed, this used a rendering feature that was not pure.

destring|1 year ago

Tesler's Law