From: Doug Ewell (dewell@adelphia.net)
Date: Mon May 15 2006 - 09:55:33 CDT
Philippe Verdy <verdy underscore p at wanadoo dot fr> wrote:
> This suggestion won't work. The security problem is in the browser,
> not in the data itself which was created on purpose to break the UTF-8
> rules.
>
> Those attempting to use this problem will generate broken UTF-8 (for
> example and notably to bypass email filtering against spam, based on
> keyword detections)
>
> If the filter is designed to detect specific words, and validates its
> input before treating it, it will not detect the forbidden characters
> or keywords, and the content will pass OK through these filters.
>
> Then the content will be rendered using UTF-8 despite it should have
> been blocked by input filters.
Thus the statement I made earlier is proven true: people will find a way
to criticize Microsoft regardless of what they do.
Shawn Steele already said the IE team is investigating this situation.
-- Doug Ewell Fullerton, California, USA http://users.adelphia.net/~dewell/
This archive was generated by hypermail 2.1.5 : Mon May 15 2006 - 10:02:15 CDT