- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 29 Aug 2008 20:12:41 +0000 (UTC)
- To: "Phillips, Addison" <addison@amazon.com>
- Cc: "public-i18n-core@w3.org" <public-i18n-core@w3.org>
On Fri, 29 Aug 2008, Phillips, Addison wrote: > > In particular, the *autodetection* of UTF-7 as an encoding in Web pages > should be a "MUST NOT" in HTML5, IMHO, because that is a well-known XSS > attack. Auto-detection of UTF-7 serves no other purpose in real-world > Web documents. I believe there is a TAG finding to this effect. Further, > the authors of the UTF-7 RFCs have expressed support for that course of > action (as has the I18N WG and, I believe, the UTC). Is there something in HTML5 that I missed? I thought we already said this. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 29 August 2008 20:12:49 UTC