From: Philippe Verdy (verdy_p@wanadoo.fr)
Date: Wed Jan 10 2007 - 05:10:11 CST
From: "Tom Gewecke" <tom@bluesky.org>
> On Jan 9, 2007, at 2:43 AM, Luke Onslow wrote:
> Actually it seems to be only Mozilla, and another poster indicated it
> will soon be fixed. The behavior does illustrate the kind of strange
> things that can happen when some of the bounds and other definitions of
> the Standard are accidentally ignored. In my particular Firefox case,
> further tests indicate that there is another bug which seems to allow
> any character U in the BMP (usually followed by a question mark) to be
> generated by an NCR in "hyperspace" using the formula:
>
> xNCR = (xU + x2800)*x400 + x10000
>
> An example spelling UNICODE can be seen here:
>
> http://homepage.mac.com/thgewecke/uncrs.html
Note that this "bug" does not permit the confusion (so this is probably not a security issue), because the each generated character is followed by an unpaired low surrogate, which is clearly invalid when handling the document with the internal UTF-16 encoding (as seen from Javascript), and which is displayed as a question mark. It will be extremely difficult to find a case where this consitutes a security issue within Mozilla browsers, unless unpaired surrogates cause unexpected/uncaught exceptions in some active component or plugin, outside the HTML renderer; but may be this may affect some Mozilla components integrated in server-side applications that is handling remote XML requests (I don't know exactly which component parses the HTML or XML documents in Firefox and Mozilla browsers, but today, this kind of parser is often a separate general purpose component used in many apps, and not only browsers).
This archive was generated by hypermail 2.1.5 : Thu Jan 18 2007 - 15:55:40 CST