From: Philippe Verdy (verdy_p@wanadoo.fr)
Date: Mon May 15 2006 - 09:47:25 CDT
This suggestion won't work. The security problem is in the browser, not in the data itself which was created on purpose to break the UTF-8 rules.
Those attempting to use this problem will generate broken UTF-8 (for example and notably to bypass email filtering against spam, based on keyword detections)
If the filter is designed to detect specific words, and validates its input before treating it, it will not detect the forbidden characters or keywords, and the content will pass OK through these filters.
Then the content will be rendered using UTF-8 despite it should have been blocked by input filters.
----- Original Message -----
From: "Shawn Steele" <Shawn.Steele@microsoft.com>
To: "Philippe Verdy" <verdy_p@wanadoo.fr>; "Mark Davis" <mark.davis@icu-project.org>; "Doug Ewell" <dewell@adelphia.net>
Cc: "Unicode Mailing List" <unicode@unicode.org>; "Keutgen, Walter" <walter.keutgen@be.unisys.com>
Sent: Monday, May 15, 2006 8:07 AM
Subject: RE: Win IE 7b2 and UTF-8
FWIW: Presumably if someone wants to be secure about their input validation (Yen or whatever), they should probably do the validation after any conversions, which removes the possibility that a bug in the conversion invalidated any assumptions made about the conversion process.
- Shawn
This archive was generated by hypermail 2.1.5 : Mon May 15 2006 - 09:51:55 CDT