Re: HTML5 encodings (was: Re: BOCU patent)

• Previous message: Doug Ewell: "Re: Is there a Japanese character for the word Unicode? (from Re: Unicode Haiku Contest)"
• In reply to: Chris Weber: "RE: HTML5 encodings (was: Re: BOCU patent)"
• Next in thread: Peter Krefting: "Re: HTML5 encodings (was: Re: BOCU patent)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Chris Weber <chris at casabasecurity dot com> wrote:

> In the world of Web-apps, most encoding-related security
> vulnerabilities and exploits come from an attacker's ability to
> control the charset emitted by the page. In other words, an attacker
> injects some persistent UTF-7 encoded payload, and then manages to
> solicit a victim to visit the page where the attacker's payload will
> render AND the attacker can set the META or HTTP header charset to
> utf-7. In this case, the browser isn't auto-discovering, it sees
> UTF-7 as a valid declaration, and the Web-app is blind, just
> delivering data.

You're right, I was overly hasty in dismissing the security hazards of
UTF-7. I'm waiting, however, to see how this scenario applies to SCSU
in a way that wouldn't also apply to, say, UTF-16.

--
Doug Ewell  |  Thornton, Colorado, USA  |  http://www.ewellic.org
RFC 5645, 4645, UTN #14  |  ietf-languages @ http://is.gd/2kf0s ­

• Next message: Doug Ewell: "Re: HTML5 encodings (was: Re: BOCU patent)"
• Previous message: Doug Ewell: "Re: Is there a Japanese character for the word Unicode? (from Re: Unicode Haiku Contest)"
• In reply to: Chris Weber: "RE: HTML5 encodings (was: Re: BOCU patent)"
• Next in thread: Peter Krefting: "Re: HTML5 encodings (was: Re: BOCU patent)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.5 : Tue Dec 22 2009 - 22:05:57 CST